Bug 749166 – Null pointer crash in xlsx-read-drawing.c on a fuzzed xlsx file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 749166 - Null pointer crash in xlsx-read-drawing.c on a fuzzed xlsx file


Summary:	Null pointer crash in xlsx-read-drawing.c on a fuzzed xlsx file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-05-09 18:17 UTC by jutaky
Modified:	2015-05-09 20:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-05-09 18:17:49 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_2339_21685.xlsx

$ ssconvert gnumeric_case_2339_21685.xlsx /tmp/out.gnumeric

==22093==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fddc8c8ec22 sp 0x7ffd25464c70 bp 0x7ffd25464d50 T0)
    #0 0x7fddc8c8ec21 in xlsx_read_chart gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:3090
    #1 0x7fddeceb1f36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #2 0x7fddeceb227e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #3 0x7fddeceb30dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #4 0x7fddec6a501f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #5 0x7fddec6b1a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #6 0x7fddec6b0df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #7 0x7fddec6b2a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #8 0x7fddec6b0df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #9 0x7fddec6b2a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #10 0x7fddec6b0df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #11 0x7fddec6b2a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #12 0x7fddec6b0df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #13 0x7fddec6b2a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #14 0x7fddec6b0df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #15 0x7fddec6b2a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #16 0x7fddec6bae1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #17 0x7fddeceb60df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #18 0x7fddecec80c7 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432
    #19 0x7fddc8c6596d in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383
    #20 0x7fddc8c91977 in xlsx_sheet_drawing gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:3561
    #21 0x7fddeceb1f36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #22 0x7fddeceb227e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #23 0x7fddeceb30dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #24 0x7fddec6a501f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #25 0x7fddec6b1a8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #26 0x7fddec6b0df5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #27 0x7fddec6b2a24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #28 0x7fddec6bae1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #29 0x7fddeceb60df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #30 0x7fddc8c65775 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358
    #31 0x7fddc8caddf4 in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3907
    #32 0x7fddeceb37de in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863
    #33 0x7fddec6a5d7b in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747
    #34 0x7fddec6b2e6b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191
    #35 0x7fddec6bae1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #36 0x7fddeceb60df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #37 0x7fddc8c65775 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358
    #38 0x7fddc8cb6927 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5043
    #39 0x7fdded9ab3af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #40 0x7fdded9b14fa in go_plugin_file_opener_open app/go-plugin-service.c:685
    #41 0x7fdded9b9550 in go_file_opener_open app/file.c:417
    #42 0x7fddee897331 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #43 0x7fddee8977cb in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #44 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #45 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #46 0x7fdde6fc87ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #47 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-05-09 20:24:42 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.