Bug 715003 – Out-of-bounds read on gnumeric2xls conversion

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 715003 - Out-of-bounds read on gnumeric2xls conversion


Summary:	Out-of-bounds read on gnumeric2xls conversion


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-11-22 11:19 UTC by jutaky
Modified:	2013-11-22 23:12 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-11-22 11:19:03 UTC

Out-of-bounds read on gnumeric2xls conversion.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_32445_24838.2xls.gnumeric

==28934== ERROR: AddressSanitizer: SEGV on unknown address 0x600400230000 (pc 0x7f1a342b6870 sp 0x7fff089740b0 bp 0x7fff089740d0 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f1a342b686f in g_utf8_pointer_to_offset /glib/glib/gutf8.c:402
    #1 0x7f1a16499027 in excel_write_RSTRING /gnumeric/plugins/excel/ms-excel-write.c:3465 (discriminator 2)
    #2 0x7f1a164999da in excel_write_cell /gnumeric/plugins/excel/ms-excel-write.c:3501
    #3 0x7f1a164b17b6 in excel_sheet_write_block /gnumeric/plugins/excel/ms-excel-write.c:5235
    #4 0x7f1a164b46f1 in excel_write_sheet /gnumeric/plugins/excel/ms-excel-write.c:5417 (discriminator 2)
    #5 0x7f1a164c2bfc in excel_write_workbook /gnumeric/plugins/excel/ms-excel-write.c:6269 (discriminator 2)
    #6 0x7f1a164c39b8 in excel_write_v8 /gnumeric/plugins/excel/ms-excel-write.c:6322
    #7 0x7f1a163dfeca in excel_save /gnumeric/plugins/excel/boot.c:281
    #8 0x7f1a163e0721 in excel_biff8_file_save /gnumeric/plugins/excel/boot.c:322
    #9 0x7f1a3808d3bc in go_plugin_loader_module_func_file_save /goffice/goffice/app/go-plugin-loader-module.c:366
    #10 0x7f1a380980a4 in go_plugin_file_saver_save /goffice/goffice/app/go-plugin-service.c:948 (discriminator 1)
    #11 0x7f1a380a65e0 in go_file_saver_save /goffice/goffice/app/file.c:848
    #12 0x7f1a391f4440 in wbv_save_to_output /gnumeric/src/workbook-view.c:1059
    #13 0x7f1a391f4c76 in wb_view_save_to_uri /gnumeric/src/workbook-view.c:1096
    #14 0x7f1a391f55fd in wb_view_save_as /gnumeric/src/workbook-view.c:1132
    #15 0x40a9ab in convert /gnumeric/src/ssconvert.c:788
    #16 0x40b6b2 in main /gnumeric/src/ssconvert.c:860
    #17 0x7f1a3397fbc4 in __libc_start_main ??:?
    #18 0x403f68 in _start ??:?
==28934== ABORTING

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-11-22 23:12:42 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.