After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 706417 - xls save crash on areas with input message, but no validation
xls save crash on areas with input message, but no validation
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-08-20 15:58 UTC by jutaky
Modified: 2013-08-20 19:13 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2013-08-20 15:58:50 UTC 
Out-of-bounds read on converting a fuzzed .gnumeric file into xls.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_20039_197369.2xls.gnumeric

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe5ff157b in excel_write_prep_validations (esheet=0x8498a0) at ms-excel-write.c:1517
1517			if (v->deps[0].texpr != NULL)
(gdb) bt

+ Trace 232397

  • #0 excel_write_prep_validations
    at ms-excel-write.c line 1517
  • #1 excel_write_state_new
    at ms-excel-write.c line 6478
  • #2 excel_save
    at boot.c line 266
  • #3 excel_biff8_file_save
    at boot.c line 322
  • #4 go_plugin_loader_module_func_file_save
    at app/go-plugin-loader-module.c line 366
  • #5 go_plugin_file_saver_save
    at app/go-plugin-service.c line 948
  • #6 go_file_saver_save
    at app/file.c line 848
  • #7 wbv_save_to_output
    at workbook-view.c line 1055
  • #8 wb_view_save_to_uri
    at workbook-view.c line 1092
  • #9 wb_view_save_as
    at workbook-view.c line 1128
  • #10 convert
    at ssconvert.c line 788
  • #11 main
    at ssconvert.c line 860 

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Morten Welinder 2013-08-20 19:13:48 UTC 
We had that for ods recently.  Same fix, more or less.

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.