After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 748533 - Global buffer overread in xlsx_write_series_dim on a fuzzed xls file
Global buffer overread in xlsx_write_series_dim on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-04-27 15:21 UTC by jutaky
Modified: 2015-05-08 12:41 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-04-27 15:21:21 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_4061_7.2xlsx.xls

ssconvert gnumeric_case_4061_7.2xlsx.xls out.xlsx

==28457==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fcd771e29dc at pc 0x7fcd78487e10 bp 0x7ffce7cf36a0 sp 0x7ffce7cf3690
READ of size 4 at 0x7fcd771e29dc thread T0
    #0 0x7fcd78487e0f in xlsx_write_series_dim gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:94
    #1 0x7fcd7848f5b5 in xlsx_write_one_plot gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:990
    #2 0x7fcd78490ec2 in xlsx_write_plots gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1188
    #3 0x7fcd78491429 in xlsx_write_one_chart gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1230
    #4 0x7fcd78491a5e in xlsx_write_chart gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1274
    #5 0x7fcd784923ed in xlsx_write_drawing_objects gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1344
    #6 0x7fcd78499560 in xlsx_write_sheet gnumeric/gnumeric/plugins/excel/xlsx-write.c:2823
    #7 0x7fcd784a0a32 in xlsx_write_workbook gnumeric/gnumeric/plugins/excel/xlsx-write.c:3098
    #8 0x7fcd784a20d4 in xlsx2_file_save gnumeric/gnumeric/plugins/excel/xlsx-write.c:3264
    #9 0x7fcd9d153028 in go_plugin_loader_module_func_file_save app/go-plugin-loader-module.c:366
    #10 0x7fcd9d15a43a in go_plugin_file_saver_save app/go-plugin-service.c:948
    #11 0x7fcd9d16331c in go_file_saver_save app/file.c:848
    #12 0x7fcd9e03a38c in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059
    #13 0x7fcd9e03a846 in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093
    #14 0x7fcd9e03adb8 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129
    #15 0x408c24 in convert gnumeric/gnumeric/src/ssconvert.c:831
    #16 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #17 0x7fcd967847ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #18 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

0x7fcd771e29dc is located 28 bytes to the right of global variable 'gog_tool_move_pie' from 'gog-pie.c' (0x7fcd771e2980) of size 64
0x7fcd771e29dc is located 4 bytes to the left of global variable 'dimensions' from 'gog-pie.c' (0x7fcd771e29e0) of size 48

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-04-27 20:44:59 UTC 
The trouble starts on load.

** (/home/welinder/gnome-src/gnumeric/src/.libs/ssconvert:19688): CRITICAL **: gog_axis_get_labels: assertion 'GOG_IS_AXIS (axis)' failed

==19688== Conditional jump or move depends on uninitialised value(s)
==19688==    at 0x157C100D: gog_plot1_5d_update (gog-1.5d.c:217)
==19688==    by 0x5436257: gog_object_update (gog-object.c:1595)
==19688==    by 0x54361F7: gog_object_update (gog-object.c:1588)
==19688==    by 0x54361F7: gog_object_update (gog-object.c:1588)
==19688==    by 0x543D8C5: cb_graph_idle (gog-graph.c:849)
==19688==    by 0x8B7D315: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
==19688==    by 0x8B7D667: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
==19688==    by 0x8B7D70B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.3800.2)
==19688==    by 0x6F95440: gtk_main_iteration_do (in /usr/lib64/libgtk-3.so.0.1000.9)
==19688==    by 0x542011E: go_io_progress_update (io-context.c:309)
==19688==    by 0x14AE0E3E: excel_read_sheet (ms-excel-read.c:6592)
==19688==    by 0x14AE17F6: excel_read_BOF (ms-excel-read.c:7058)
==19688==    by 0x14AE2017: excel_read_workbook (ms-excel-read.c:7164)
==19688==    by 0x14AC043D: excel_enc_file_open (boot.c:193)
==19688==    by 0x14AC07AD: excel_file_open (boot.c:273)
==19688==    by 0x541C53A: go_plugin_file_opener_open (go-plugin-service.c:685)
==19688==    by 0x4F9BB1E: workbook_view_new_from_input (workbook-view.c:1278)
==19688==    by 0x4F9BD6B: workbook_view_new_from_uri (workbook-view.c:1337)
==19688==    by 0x404805: convert (ssconvert.c:715)
==19688==    by 0x403AD6: main (ssconvert.c:903)
==19688==  Uninitialised value was created by a stack allocation
==19688==    at 0x157C0A10: gog_plot1_5d_update (gog-1.5d.c:155)
==19688==
Comment 2 Morten Welinder 2015-04-27 21:41:19 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.
Comment 3 jutaky 2015-04-28 16:06:35 UTC 
After updating my environment I am still crashing at the given test case.
Comment 4 Morten Welinder 2015-04-28 17:38:36 UTC 
This is strange.

Note, that part of the fix was in goffice and part was in gnumeric.

Can you produce an updated stack trace?
Comment 5 jutaky 2015-05-06 17:25:10 UTC 
After git pulls and recompiles:

==10896==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f15635489dc at pc 0x7f15647eccc4 bp 0x7ffe016c5000 sp 0x7ffe016c4ff0
READ of size 4 at 0x7f15635489dc thread T0
    #0 0x7f15647eccc3 in xlsx_write_series_dim gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:94
    #1 0x7f15647f45db in xlsx_write_one_plot gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:999
    #2 0x7f15647f5f08 in xlsx_write_plots gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1199
    #3 0x7f15647f646f in xlsx_write_one_chart gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1241
    #4 0x7f15647f6aa4 in xlsx_write_chart gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1285
    #5 0x7f15647f7433 in xlsx_write_drawing_objects gnumeric/gnumeric/plugins/excel/xlsx-write-drawing.c:1355
    #6 0x7f15647fe5a6 in xlsx_write_sheet gnumeric/gnumeric/plugins/excel/xlsx-write.c:2823
    #7 0x7f1564805a78 in xlsx_write_workbook gnumeric/gnumeric/plugins/excel/xlsx-write.c:3098
    #8 0x7f156480711a in xlsx2_file_save gnumeric/gnumeric/plugins/excel/xlsx-write.c:3264
    #9 0x7f15894c50f8 in go_plugin_loader_module_func_file_save app/go-plugin-loader-module.c:366
    #10 0x7f15894cc50a in go_plugin_file_saver_save app/go-plugin-service.c:948
    #11 0x7f15894d53ec in go_file_saver_save app/file.c:848
    #12 0x7f158a3ae7bc in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059
    #13 0x7f158a3aec76 in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093
    #14 0x7f158a3af1e8 in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129
    #15 0x408c24 in convert gnumeric/gnumeric/src/ssconvert.c:831
    #16 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #17 0x7f1582aea7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #18 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)
Comment 6 Morten Welinder 2015-05-06 17:37:38 UTC 
I'll see what I can do, but I don't seem to trigger this on my machine.
Comment 7 jutaky 2015-05-07 14:12:15 UTC 
Anything I could do to help?
Comment 8 Morten Welinder 2015-05-08 12:41:30 UTC 
I think I got it.  This ought to have hit all graph saving to xlsx, but since
the problem is global_array[-1] (as opposed to allocated[-1]) Valgrind is
no help.  I suspect that AddressSanitizer is also only catching some of them.

Thanks for persisting.

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.