Bug 720425 – Use-after-free in gnm_expr_sharer_share on a fuzzed xlsx file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 720425 - Use-after-free in gnm_expr_sharer_share on a fuzzed xlsx file


Summary:	Use-after-free in gnm_expr_sharer_share on a fuzzed xlsx file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-12-13 21:09 UTC by jutaky
Modified:	2013-12-13 21:29 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-12-13 21:09:05 UTC

Use-after-free in gnm_expr_sharer_share on a fuzzed xlsx file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_2339_184314.xlsx

==13650== ERROR: AddressSanitizer: heap-use-after-free on address 0x600400209dd8 at pc 0x7f67f761e736 bp 0x7fffeb318890 sp 0x7fffeb318888
READ of size 8 at 0x600400209dd8 thread T0
    #0 0x7f67f761e735 in gnm_expr_sharer_share /gnumeric/src/expr.c:2928
    #1 0x7f67f7a7b2b4 in workbook_share_expressions /gnumeric/src/workbook.c:623 (discriminator 1)
    #2 0x7f67f7a9ae7f in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1294
    #3 0x7f67f7a9b43f in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #4 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #5 0x7f67f221abc4 in __libc_start_main ??:?
    #6 0x403de8 in _start ??:?

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-12-13 21:16:10 UTC

==11793== Invalid read of size 8
==11793==    at 0x4EEED93: gnm_expr_sharer_share (expr.c:2928)
==11793==    by 0x4F9C8C3: workbook_share_expressions (workbook.c:623)
==11793==    by 0x4FA0904: workbook_view_new_from_input (workbook-view.c:1294)
==11793==    by 0x4FA0B0C: workbook_view_new_from_uri (workbook-view.c:1341)
==11793==    by 0x404756: convert (ssconvert.c:696)
==11793==    by 0x403A2C: main (ssconvert.c:860)
==11793==  Address 0x12bc9c88 is 8 bytes inside a block of size 16 free'd
==11793==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11793==    by 0x4EEEDCC: gnm_expr_sharer_share (expr.c:2936)
==11793==    by 0x4F9C8C3: workbook_share_expressions (workbook.c:623)
==11793==    by 0x4FA0904: workbook_view_new_from_input (workbook-view.c:1294)
==11793==    by 0x4FA0B0C: workbook_view_new_from_uri (workbook-view.c:1341)
==11793==    by 0x404756: convert (ssconvert.c:696)
==11793==    by 0x403A2C: main (ssconvert.c:860)

Comment 2 Morten Welinder 2013-12-13 21:20:49 UTC

This is how it would look if something in the importer forgot to ref
an expression somewhere.

Comment 3 Morten Welinder 2013-12-13 21:29:29 UTC

...or had an extra unref.

This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.