GNOME Bugzilla – Bug 712700
Out-of-bounds read on saving a fuzzed xlsx file
Last modified: 2013-11-19 18:22:14 UTC
Out-of-bounds read on saving a fuzzed xlsx file. Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_10985.2xlsx.xlsx ==31236== ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fca14e4cd7c at pc 0x7fca0ddcdf6c bp 0x7fff7a9a96d0 sp 0x7fff7a9a96c8 READ of size 4 at 0x7fca14e4cd7c thread T0 #0 0x7fca0ddcdf6b in xlsx_write_series_dim /gnumeric/plugins/excel/xlsx-write-drawing.c:91 #1 0x7fca0ddd1119 in xlsx_write_one_plot /gnumeric/plugins/excel/xlsx-write-drawing.c:309 #2 0x7fca0ddd309f in xlsx_write_plots /gnumeric/plugins/excel/xlsx-write-drawing.c:411 #3 0x7fca0ddd3539 in xlsx_write_one_chart /gnumeric/plugins/excel/xlsx-write-drawing.c:430 #4 0x7fca0ddd3a85 in xlsx_write_chart /gnumeric/plugins/excel/xlsx-write-drawing.c:458 #5 0x7fca0ddd47cd in xlsx_write_objects /gnumeric/plugins/excel/xlsx-write-drawing.c:512 (discriminator 2) #6 0x7fca0ddd61a7 in xlsx_write_sheet /gnumeric/plugins/excel/xlsx-write.c:2276 #7 0x7fca0dde127e in xlsx_write_workbook /gnumeric/plugins/excel/xlsx-write.c:2482 (discriminator 2) #8 0x7fca0dde3522 in xlsx2_file_save /gnumeric/plugins/excel/xlsx-write.c:2618 #9 0x7fca2f64538c in go_plugin_loader_module_func_file_save /goffice/goffice/app/go-plugin-loader-module.c:366 #10 0x7fca2f650074 in go_plugin_file_saver_save /goffice/goffice/app/go-plugin-service.c:948 (discriminator 1) #11 0x7fca2f65e5b0 in go_file_saver_save /goffice/goffice/app/file.c:848 #12 0x7fca307ac440 in wbv_save_to_output /gnumeric/src/workbook-view.c:1059 #13 0x7fca307acc76 in wb_view_save_to_uri /gnumeric/src/workbook-view.c:1096 #14 0x7fca307ad5fd in wb_view_save_as /gnumeric/src/workbook-view.c:1132 #15 0x40a9ab in convert /gnumeric/src/ssconvert.c:788 #16 0x40b6b2 in main /gnumeric/src/ssconvert.c:860 #17 0x7fca2af37bc4 in __libc_start_main ??:? #18 0x403f68 in _start ??:? 0x7fca14e4cd7c is located 28 bytes to the right of global variable 'gog_tool_move_pie (gog-pie.c)' (0x7fca14e4cd20) of size 64 0x7fca14e4cd7c is located 4 bytes to the left of global variable 'dimensions (gog-pie.c)' (0x7fca14e4cd80) of size 48 -- Juha Kylmänen Research Assistant, OUSPG
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.