Bug 706075 – Out-of-bounds read on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 706075 - Out-of-bounds read on a fuzzed xls file


Summary:	Out-of-bounds read on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-08-15 14:02 UTC by jutaky
Modified:	2013-08-15 16:59 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-08-15 14:02:56 UTC

Out-of-bounds read on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_14464_116130.xls

Interestingly I can't reproduce the segfault myself the second time...

But valgrind caught the following:

==27316== Invalid read of size 1
==27316==    at 0x185A9C5C: xl_chart_read_shtprops (ms-chart.c:2100)
==27316==    by 0x185AF5FF: ms_excel_chart_read (ms-chart.c:3638)
==27316==    by 0x185B0157: ms_excel_chart_read_BOF (ms-chart.c:3866)
==27316==    by 0x185A29FA: ms_read_OBJ (ms-obj.c:1308)
==27316==    by 0x18583B94: excel_read_sheet (ms-excel-read.c:6659)
==27316==    by 0x185849E0: excel_read_BOF (ms-excel-read.c:6995)
==27316==    by 0x1858512F: excel_read_workbook (ms-excel-read.c:7085)
==27316==    by 0x18564C46: excel_enc_file_open (boot.c:193)
==27316==    by 0x18564EFE: excel_file_open (boot.c:250)
==27316==    by 0x5451909: go_plugin_loader_module_func_file_open (go-plugin-loader-module.c:282)
==27316==    by 0x5453810: go_plugin_file_opener_open (go-plugin-service.c:685)
==27316==    by 0x5456491: go_file_opener_open (file.c:417)
==27316==  Address 0x192a6953 is 0 bytes after a block of size 3 alloc'd
==27316==    at 0x4C2C04B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27316==    by 0x8FAA166: g_malloc (gmem.c:104)
==27316==    by 0x8FAA46C: g_malloc_n (gmem.c:345)
==27316==    by 0x18566564: ms_biff_query_next (ms-biff.c:485)
==27316==    by 0x185AF9AD: ms_excel_chart_read (ms-chart.c:3610)
==27316==    by 0x185B0157: ms_excel_chart_read_BOF (ms-chart.c:3866)
==27316==    by 0x185A29FA: ms_read_OBJ (ms-obj.c:1308)
==27316==    by 0x18583B94: excel_read_sheet (ms-excel-read.c:6659)
==27316==    by 0x185849E0: excel_read_BOF (ms-excel-read.c:6995)
==27316==    by 0x1858512F: excel_read_workbook (ms-excel-read.c:7085)
==27316==    by 0x18564C46: excel_enc_file_open (boot.c:193)
==27316==    by 0x18564EFE: excel_file_open (boot.c:250)
==27316== 

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Andreas J. Guelzow 2013-08-15 16:59:10 UTC

This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.