After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 705099 - Heap-buffer-overflow on saving a fuzzed ods file
Heap-buffer-overflow on saving a fuzzed ods file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-07-29 19:36 UTC by jutaky
Modified: 2013-07-30 18:07 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-07-29 19:36:58 UTC 
Heap-buffer-overflow on saving a fuzzed ods file. Heap-buffer-overflow detected by AddressSanitizer.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_10010_5840.2ods.ods

Backtrace from "ssconvert gnumeric_case_10010_5840.2ods.ods /tmp/out.ods"

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7560269 in go_format_as_XL (fmt=0x7466656c2d6b74) at utils/go-format.c:6013
6013		return fmt->format;
(gdb) bt

+ Trace 232312

  • #0 go_format_as_XL
    at utils/go-format.c line 6013
  • #1 go_format_output_date_to_odf
    at utils/go-format.c line 7421
  • #2 go_format_output_to_odf
    at utils/go-format.c line 8660
  • #3 odf_write_xl_style
    at openoffice-write.c line 4855
  • #4 odf_write_this_xl_style_neg
    at openoffice-write.c line 4869
  • #5 g_hash_table_foreach
    at ghash.c line 1526
  • #6 odf_write_office_styles
    at openoffice-write.c line 5266
  • #7 odf_write_styles
    at openoffice-write.c line 5500
  • #8 openoffice_file_save_real
    at openoffice-write.c line 8314
  • #9 odf_file_save
    at openoffice-write.c line 8409
  • #10 go_plugin_loader_module_func_file_save
    at app/go-plugin-loader-module.c line 366
  • #11 go_plugin_file_saver_save
    at app/go-plugin-service.c line 948
  • #12 go_file_saver_save
    at app/file.c line 848
  • #13 wbv_save_to_output
    at workbook-view.c line 1050
  • #14 wb_view_save_to_uri
    at workbook-view.c line 1087
  • #15 wb_view_save_as
    at workbook-view.c line 1123
  • #16 convert
    at ssconvert.c line 788
  • #17 main
    at ssconvert.c line 855 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Andreas J. Guelzow 2013-07-30 17:50:41 UTC 
This does not look like it has anything to do with fuzzing. We have the format "[>0]d-mmm-yy"
We seem to write the condition and the xml for  d-mmm-yy fine and then try to write a format for a NULL fmt.
Comment 2 Andreas J. Guelzow 2013-07-30 18:07:47 UTC 
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.

(The fix is in goffice.)