Bug 720457 – Heap-buffer overread in read_pre_biff8_read_name_and_fmla on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 720457 - Heap-buffer overread in read_pre_biff8_read_name_and_fmla on a fuzzed xls file


Summary:	Heap-buffer overread in read_pre_biff8_read_name_and_fmla on a fuzzed xls file


Status:	RESOLVED DUPLICATE of bug 720358

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-12-14 14:24 UTC by jutaky
Modified:	2013-12-23 00:47 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-12-14 14:24:44 UTC

Heap-buffer overread in read_pre_biff8_read_name_and_fmla on a fuzzed xls file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_2339_346389.xls

==26157== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600c00096e9e at pc 0x7f81c36fa56c bp 0x7fffbb055000 sp 0x7fffbb054ff8
READ of size 1 at 0x600c00096e9e thread T0
    #0 0x7f81c36fa56b in read_pre_biff8_read_name_and_fmla /gnumeric/plugins/excel/ms-obj.c:644
    #1 0x7f81c36fc886 in ms_obj_read_pre_biff8_obj /gnumeric/plugins/excel/ms-obj.c:757
    #2 0x7f81c3702293 in ms_read_OBJ /gnumeric/plugins/excel/ms-obj.c:1283 (discriminator 2)
    #3 0x7f81c3672199 in excel_read_sheet /gnumeric/plugins/excel/ms-excel-read.c:6663
    #4 0x7f81c367682c in excel_read_BOF /gnumeric/plugins/excel/ms-excel-read.c:6999
    #5 0x7f81c3677eda in excel_read_workbook /gnumeric/plugins/excel/ms-excel-read.c:7089
    #6 0x7f81c35edc8c in excel_enc_file_open /gnumeric/plugins/excel/boot.c:193
    #7 0x7f81c35ee92a in excel_file_open /gnumeric/plugins/excel/boot.c:250
    #8 0x7f81e49e7f1e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #9 0x7f81e49f0e80 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #10 0x7f81e49fd7cf in go_file_opener_open /goffice/goffice/app/file.c:417
    #11 0x7f81e5b60c50 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #12 0x7f81e5b6143f in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #13 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #14 0x7f81e02e0bc4 in __libc_start_main ??:?
    #15 0x403de8 in _start ??:?
0x600c00096e9e is located 0 bytes to the right of 62-byte region [0x600c00096e60,0x600c00096e9e)

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-12-23 00:47:45 UTC

Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 720358 ***