After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 720358 - Heap-buffer overread in gsf_mem_dump_full on a fuzzed xls file
Heap-buffer overread in gsf_mem_dump_full on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
: 719349 720457 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2013-12-12 22:02 UTC by jutaky
Modified: 2013-12-23 00:47 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Patch (1.42 KB, patch)
2013-12-21 19:44 UTC, Morten Welinder 		none Details | Review

Description jutaky 2013-12-12 22:02:58 UTC 
Heap-buffer overread in gsf_mem_dump_full on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_2339_113199.xls

==2215== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340003e058 at pc 0x7ff93803ea37 bp 0x7fffd225a5b0 sp 0x7fffd225a5a8
READ of size 1 at 0x60340003e058 thread T0
    #0 0x7ff93803ea36 in gsf_mem_dump_full /libgsf/gsf/gsf-utils.c:254
    #1 0x7ff93803ee55 in gsf_mem_dump /libgsf/gsf/gsf-utils.c:284
    #2 0x7ff91759e4a6 in excel_parse_formula1 /gnumeric/plugins/excel/ms-formula-read.c:1803 (discriminator 3)
    #3 0x7ff91759eaf3 in excel_parse_formula /gnumeric/plugins/excel/ms-formula-read.c:1844
    #4 0x7ff9174d22b0 in ms_sheet_parse_expr_internal /gnumeric/plugins/excel/ms-excel-read.c:302
    #5 0x7ff9174d2621 in ms_sheet_parse_expr /gnumeric/plugins/excel/ms-excel-read.c:324
    #6 0x7ff9174b9f44 in ms_container_parse_expr /gnumeric/plugins/excel/ms-container.c:188
    #7 0x7ff9175b0bea in ms_obj_read_expr /gnumeric/plugins/excel/ms-obj.c:519
    #8 0x7ff9175b2205 in read_pre_biff8_read_expr /gnumeric/plugins/excel/ms-obj.c:623
    #9 0x7ff9175b2824 in read_pre_biff8_read_name_and_fmla /gnumeric/plugins/excel/ms-obj.c:657
    #10 0x7ff9175b4548 in ms_obj_read_pre_biff8_obj /gnumeric/plugins/excel/ms-obj.c:745
    #11 0x7ff9175ba293 in ms_read_OBJ /gnumeric/plugins/excel/ms-obj.c:1283 (discriminator 2)
    #12 0x7ff91752a199 in excel_read_sheet /gnumeric/plugins/excel/ms-excel-read.c:6660
    #13 0x7ff91752e82c in excel_read_BOF /gnumeric/plugins/excel/ms-excel-read.c:6996
    #14 0x7ff91752feda in excel_read_workbook /gnumeric/plugins/excel/ms-excel-read.c:7086
    #15 0x7ff9174a5c8c in excel_enc_file_open /gnumeric/plugins/excel/boot.c:193
    #16 0x7ff9174a692a in excel_file_open /gnumeric/plugins/excel/boot.c:250
    #17 0x7ff93889ff1e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #18 0x7ff9388a8e80 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #19 0x7ff9388b57cf in go_file_opener_open /goffice/goffice/app/file.c:417
    #20 0x7ff939a18c40 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #21 0x7ff939a1942f in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #22 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #23 0x7ff934198bc4 in __libc_start_main ??:?
    #24 0x403de8 in _start ??:?
0x60340003e058 is located 0 bytes to the right of 472-byte region [0x60340003de80,0x60340003e058)

--
Juha Kylmänen
Research Assistant, OUSPG
Comment 1 Morten Welinder 2013-12-13 02:27:06 UTC 
==4229== Invalid read of size 1
==4229==    at 0x6BE6C50: gsf_mem_dump_full (gsf-utils.c:254)
==4229==    by 0x12DE3C8F: excel_parse_formula1 (ms-formula-read.c:1803)
==4229==    by 0x12DE5A1A: excel_parse_formula (ms-formula-read.c:1844)
==4229==    by 0x12DC4FDB: ms_sheet_parse_expr_internal (ms-excel-read.c:302)
==4229==    by 0x12DE886B: ms_obj_read_expr.isra.8 (ms-obj.c:519)
==4229==    by 0x12DE8CF1: read_pre_biff8_read_name_and_fmla (ms-obj.c:623)
==4229==    by 0x12DE992D: ms_read_OBJ (ms-obj.c:745)
==4229==    by 0x12DCED1C: excel_read_sheet (ms-excel-read.c:6662)
==4229==    by 0x12DD1C6F: excel_read_BOF.isra.79 (ms-excel-read.c:6998)
==4229==    by 0x12DD282D: excel_read_workbook (ms-excel-read.c:7088)
==4229==    by 0x12DBCCCE: excel_enc_file_open (boot.c:193)
==4229==    by 0x53F10BA: go_plugin_file_opener_open (go-plugin-service.c:685)
==4229==  Address 0x13600628 is 0 bytes after a block of size 472 alloc'd
==4229==    at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4229==    by 0x633DDD0: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3800.1)
==4229==    by 0x12DBDDC8: ms_biff_query_next (ms-biff.c:485)
==4229==    by 0x12DCE0E4: excel_read_sheet (ms-excel-read.c:6545)
==4229==    by 0x12DD1C6F: excel_read_BOF.isra.79 (ms-excel-read.c:6998)
==4229==    by 0x12DD282D: excel_read_workbook (ms-excel-read.c:7088)
==4229==    by 0x12DBCCCE: excel_enc_file_open (boot.c:193)
==4229==    by 0x53F10BA: go_plugin_file_opener_open (go-plugin-service.c:685)
==4229==    by 0x4F9375E: workbook_view_new_from_input (workbook-view.c:1281)
==4229==    by 0x4F9399B: workbook_view_new_from_uri (workbook-view.c:1341)
==4229==    by 0x403404: main (main-application.c:322)
==4229==
Comment 2 Morten Welinder 2013-12-21 19:44:34 UTC 
Created attachment 264734 [details] [review]
Patch

Patch attached -- cannot commit from here.
Comment 3 Morten Welinder 2013-12-21 19:51:38 UTC 
*** Bug 719349 has been marked as a duplicate of this bug. ***
Comment 4 Morten Welinder 2013-12-22 14:49:25 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.
Comment 5 Morten Welinder 2013-12-23 00:47:45 UTC 
*** Bug 720457 has been marked as a duplicate of this bug. ***