After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 748595 - Heap-buffer overread in gnm_xml_in_cur_obj on a fuzzed .gnumeric file
Heap-buffer overread in gnm_xml_in_cur_obj on a fuzzed .gnumeric file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export other
git master
Other Linux
: Normal critical
: ---
Assigned To: Morten Welinder
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-04-28 16:16 UTC by jutaky
Modified: 2015-04-28 17:35 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-04-28 16:16:18 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_10926_31030.gnumeric

ssconvert gnumeric_case_10926_31030.gnumeric /tmp/out.gnumeric

==26698==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700005a660 at pc 0x7ff6b2beda8b bp 0x7fff85ae7ba0 sp 0x7fff85ae7b90
READ of size 8 at 0x60700005a660 thread T0
    #0 0x7ff6b2beda8a in gnm_xml_in_cur_obj gnumeric/gnumeric/src/xml-sax-read.c:414
    #1 0x7ff6b2c0a0b9 in xml_sax_unknown gnumeric/gnumeric/src/xml-sax-read.c:3247
    #2 0x7ff6b11b840d in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:812
    #3 0x7ff6b09aa01f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #4 0x7ff6b09b6a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #5 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #6 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #7 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #8 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #9 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #10 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #11 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #12 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #13 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #14 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #15 0x7ff6b09bfe1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #16 0x7ff6b11bb0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #17 0x7ff6b2c0b501 in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3383
    #18 0x7ff6b2c0c7d3 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3512
    #19 0x7ff6b1cbca77 in go_file_opener_open_real app/file.c:159
    #20 0x7ff6b1cbe480 in go_file_opener_open app/file.c:417
    #21 0x7ff6b2b9b4aa in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #22 0x7ff6b2b9b944 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #23 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #24 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #25 0x7ff6ab2dd7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #26 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

0x60700005a660 is located 0 bytes to the right of 80-byte region [0x60700005a610,0x60700005a660)
allocated by thread T0 here:
    #0 0x7ff6b3682905 in __interceptor_calloc (/usr/lib/libasan.so.1+0x57905)
    #1 0x7ff6ab8d8bec in g_malloc0 gnumeric/glib/glib/gmem.c:127
    #2 0x7ff6ab8d8ee5 in g_malloc0_n gnumeric/glib/glib/gmem.c:360
    #3 0x7ff6b11ba66a in gsf_xml_in_doc_add_nodes gnumeric/libgsf/gsf/gsf-libxml.c:1219
    #4 0x7ff6b11ba177 in gsf_xml_in_doc_new gnumeric/libgsf/gsf/gsf-libxml.c:1142
    #5 0x7ff6b1d2c00a in gog_object_sax_push_parser graph/gog-object-xml.c:532
    #6 0x7ff6b2af6d1a in gnm_sog_prep_sax_parser gnumeric/gnumeric/src/sheet-object-graph.c:438
    #7 0x7ff6b2c03965 in xml_sax_read_obj gnumeric/gnumeric/src/xml-sax-read.c:2427
    #8 0x7ff6b2c0a09b in xml_sax_unknown gnumeric/gnumeric/src/xml-sax-read.c:3246
    #9 0x7ff6b11b840d in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:812
    #10 0x7ff6b09aa01f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #11 0x7ff6b09b6a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #12 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #13 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #14 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #15 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #16 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #17 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #18 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #19 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #20 0x7ff6b09b5df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #21 0x7ff6b09b7a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #22 0x7ff6b09bfe1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #23 0x7ff6b11bb0df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #24 0x7ff6b2c0b501 in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3383
    #25 0x7ff6b2c0c7d3 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3512
    #26 0x7ff6b1cbca77 in go_file_opener_open_real app/file.c:159
    #27 0x7ff6b1cbe480 in go_file_opener_open app/file.c:417
    #28 0x7ff6b2b9b4aa in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #29 0x7ff6b2b9b944 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337

SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/src/xml-sax-read.c:414 gnm_xml_in_cur_obj

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-04-28 17:35:22 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.