After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 748535 - Bad free in od_draw_frame_end_full on a fuzzed sxc file
Bad free in od_draw_frame_end_full on a fuzzed sxc file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export OOo / OASIS
git master
Other Linux
: Normal critical
: ---
Assigned To: Andreas J. Guelzow
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-04-27 15:46 UTC by jutaky
Modified: 2015-04-28 01:05 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-04-27 15:46:03 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_10895_141.sxc

ssconvert gnumeric_case_10895_141.sxc /tmp/out.gnumeric

==25616==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ffc3970e408 in thread T0
    #0 0x7fbb1cfab52f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f)
    #1 0x7fbb1520ccde in g_free gnumeric/glib/glib/gmem.c:192
    #2 0x7fbaf67a0b1d in od_draw_frame_end_full gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8052
    #3 0x7fbaf67a0fa8 in odf_line_end gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:8084
    #4 0x7fbb1aae77de in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863
    #5 0x7fbb1a2d9d7b in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747
    #6 0x7fbb1a2e6e6b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191
    #7 0x7fbb1a2e4df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #8 0x7fbb1a2e6a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #9 0x7fbb1a2e4df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #10 0x7fbb1a2e6a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #11 0x7fbb1a2e4df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #12 0x7fbb1a2e6a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #13 0x7fbb1a2e4df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #14 0x7fbb1a2e6a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #15 0x7fbb1a2e4df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #16 0x7fbb1a2e6a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #17 0x7fbb1a2eee1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #18 0x7fbb1aaea0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #19 0x7fbaf67c8747 in openoffice_file_open gnumeric/gnumeric/plugins/openoffice/openoffice-read.c:13607
    #20 0x7fbb1b5df2df in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #21 0x7fbb1b5e542a in go_plugin_file_opener_open app/go-plugin-service.c:685
    #22 0x7fbb1b5ed480 in go_file_opener_open app/file.c:417
    #23 0x7fbb1c4c8e6a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #24 0x7fbb1c4c9304 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #25 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #26 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #27 0x7fbb14c117ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #28 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-04-27 20:42:24 UTC 
Confirmed.  Here's valgrind's take:


==19641== Conditional jump or move depends on uninitialised value(s)
==19641==    at 0x8B82DF3: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
==19641==    by 0x14C87626: od_draw_frame_end_full.isra.18 (openoffice-read.c:8052)
==19641==    by 0x14C944CF: odf_line_end (openoffice-read.c:8084)
==19641==    by 0x5BF3958: gsf_xml_in_end_element (gsf-libxml.c:863)
==19641==    by 0x60803CC: ??? (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x60868FA: xmlParseElement (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x6085E27: xmlParseContent (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x60866A2: xmlParseElement (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x6085E27: xmlParseContent (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x60866A2: xmlParseElement (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x6085E27: xmlParseContent (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x60866A2: xmlParseElement (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x6085E27: xmlParseContent (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x60866A2: xmlParseElement (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x6085E27: xmlParseContent (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x60866A2: xmlParseElement (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x6086CA9: xmlParseDocument (in /usr/lib64/libxml2.so.2.9.1)
==19641==    by 0x5BF4763: gsf_xml_in_doc_parse (gsf-libxml.c:1338)
==19641==    by 0x14C9F888: openoffice_file_open (openoffice-read.c:13607)
==19641==    by 0x541C53A: go_plugin_file_opener_open (go-plugin-service.c:685)
==19641==    by 0x4F9BB1E: workbook_view_new_from_input (workbook-view.c:1278)
==19641==    by 0x4F9BD6B: workbook_view_new_from_uri (workbook-view.c:1337)
==19641==    by 0x404805: convert (ssconvert.c:715)
==19641==    by 0x403AD6: main (ssconvert.c:903)
==19641==  Uninitialised value was created by a stack allocation
==19641==    at 0x14C9EE30: openoffice_file_open (openoffice-read.c:13386)
Comment 2 Andreas J. Guelzow 2015-04-28 01:05:50 UTC 
This problem has been fixed in the unstable development version. The fix will be available in the next major software release. You may need to upgrade your Linux distribution to obtain that newer version.