After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 715002 - Heap-buffer overread in excel_read_XF on a fuzzed xls file
Heap-buffer overread in excel_read_XF on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2013-11-22 11:17 UTC by jutaky
Modified: 2013-12-22 14:49 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2013-11-22 11:17:59 UTC
Heap-buffer overread in excel_read_XF on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_11510_28538.xls

==23140== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600095363 at pc 0x7f0a193e0717 bp 0x7fff7b12d0f0 sp 0x7fff7b12d0e8
READ of size 1 at 0x600600095363 thread T0
    #0 0x7f0a193e0716 in excel_read_XF /gnumeric/plugins/excel/ms-excel-read.c:2687
    #1 0x7f0a1941f2e8 in excel_read_workbook /gnumeric/plugins/excel/ms-excel-read.c:7103
    #2 0x7f0a19394c2c in excel_enc_file_open /gnumeric/plugins/excel/boot.c:193
    #3 0x7f0a193958ca in excel_file_open /gnumeric/plugins/excel/boot.c:250
    #4 0x7f0a3ae2600e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #5 0x7f0a3ae2ef70 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #6 0x7f0a3ae3b8bf in go_file_opener_open /goffice/goffice/app/file.c:417
    #7 0x7f0a3bf91684 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #8 0x7f0a3bf91e73 in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #9 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #10 0x7f0a36719bc4 in __libc_start_main ??:?
    #11 0x403de8 in _start ??:?
0x600600095363 is located 0 bytes to the right of 19-byte region [0x600600095350,0x600600095363)

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Morten Welinder 2013-12-21 19:57:11 UTC
Fix in hand.  Will commit later.
Comment 2 Morten Welinder 2013-12-22 14:49:44 UTC
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.