After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 712788 - Use-after-free on exit on a fuzzed xlsx file
Use-after-free on exit on a fuzzed xlsx file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal normal
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-11-21 08:53 UTC by jutaky
Modified: 2013-11-21 14:47 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2013-11-21 08:53:03 UTC
Use-after-free on exit on a fuzzed xlsx file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_255694.xlsx


==21903== ERROR: AddressSanitizer: heap-use-after-free on address 0x60180069b140 at pc 0x7f4959c42f1c bp 0x7fff635bec30 sp 0x7fff635bec28
READ of size 8 at 0x60180069b140 thread T0
    #0 0x7f4959c42f1b in gnm_func_get_name /gnumeric/src/func.c:1414
    #1 0x7f4959e2a40a in std_expr_func_handler /gnumeric/src/parse-util.c:1250
    #2 0x7f4959c07e46 in do_expr_as_string /gnumeric/src/expr.c:1740
    #3 0x7f4959c09358 in gnm_expr_as_string /gnumeric/src/expr.c:1850
    #4 0x7f4959c1b4c5 in cb_expression_pool_leak /gnumeric/src/expr.c:3428
    #5 0x7f4955138734 in g_slist_foreach /glib/glib/gslist.c:896
    #6 0x7f4959281184 in go_mem_chunk_foreach_leak /goffice/goffice/utils/go-glib-extras.c:723
    #7 0x7f4959c1b600 in expr_shutdown /gnumeric/src/expr.c:3438
    #8 0x7f4959d0ab55 in gnm_shutdown /gnumeric/src/libgnumeric.c:318
    #9 0x40b40b in main /gnumeric/src/main-application.c:393
    #10 0x7f4954817bc4 in __libc_start_main ??:?
    #11 0x403de8 in _start ??:?
ASAN:SIGSEGV

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Morten Welinder 2013-11-21 14:28:02 UTC
It's crashing in the leak detector on exit.  An expression has been 
leaked in this case and we crash while trying to print it.

We live with this because the leak detector is so useful.  It's on exit
so no data is in danger.  The fix will be to not leak.
Comment 2 Morten Welinder 2013-11-21 14:47:04 UTC
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.