GNOME Bugzilla – Bug 749118
Heap-buffer overread in glib/gconvert.c on a fuzzed xls file
Last modified: 2015-05-09 16:49:02 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_24050_32739.xls ssconvert gnumeric_case_24050_32739.xls /tmp/out.gnumeric ==17693==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b6e80 at pc 0x7fc89066dee2 bp 0x7ffcdce24d10 sp 0x7ffcdce24cd0 READ of size 152 at 0x6020001b6e80 thread T0 #0 0x7fc89066dee1 in iconv (/usr/lib/libasan.so.1+0x37ee1) #1 0x7fc8888acfed in g_iconv gnumeric/glib/glib/gconvert.c:279 #2 0x7fc869e767ed in excel_get_chars gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1027 #3 0x7fc869e76eb6 in excel_get_text gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1082 #4 0x7fc869e771c9 in excel_get_text_fixme gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1109 #5 0x7fc869e921b3 in excel_read_name_str gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3788 #6 0x7fc869e926a7 in excel_read_EXTERNNAME gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3818 #7 0x7fc869eb6f04 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7227 #8 0x7fc869e505b8 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #9 0x7fc869e50e97 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #10 0x7fc88ecb63af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #11 0x7fc88ecbc4fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #12 0x7fc88ecc4550 in go_file_opener_open app/file.c:417 #13 0x7fc88fba229a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #14 0x7fc88fba2734 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #15 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #16 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #17 0x7fc8882dc7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #18 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8) 0x6020001b6e80 is located 0 bytes to the right of 16-byte region [0x6020001b6e70,0x6020001b6e80) allocated by thread T0 here: #0 0x7fc89068d7a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x7fc8888d7b7f in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7fc8888d7e71 in g_malloc_n gnumeric/glib/glib/gmem.c:336 #3 0x7fc869e55326 in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:459 #4 0x7fc869eb7a1c in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7152 #5 0x7fc869e505b8 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #6 0x7fc869e50e97 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #7 0x7fc88ecb63af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #8 0x7fc88ecbc4fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #9 0x7fc88ecc4550 in go_file_opener_open app/file.c:417 #10 0x7fc88fba229a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #11 0x7fc88fba2734 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #12 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #13 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #14 0x7fc8882dc7ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.