After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 749181 - Global buffer overread in xlsx-read.c on a fuzzed xlsx file
Global buffer overread in xlsx-read.c on a fuzzed xlsx file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-05-10 08:11 UTC by jutaky
Modified: 2015-05-10 19:09 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-05-10 08:11:06 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_29042_80873.xlsx

$ ssconvert gnumeric_case_29042_80873.xlsx /tmp/out.gnumeric

==32296==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f7f8cb98df0 at pc 0x7f7f8c84243b bp 0x7fff77ae7120 sp 0x7fff77ae7110
READ of size 8 at 0x7f7f8cb98df0 thread T0
    #0 0x7f7f8c84243a in attr_enum gnumeric/gnumeric/plugins/excel/xlsx-read.c:448
    #1 0x7f7f8c8463dd in simple_enum gnumeric/gnumeric/plugins/excel/xlsx-read.c:856
    #2 0x7f7f8c85d516 in xlsx_scatter_style gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:1261
    #3 0x7f7fb0a8ef36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #4 0x7f7fb0a8f27e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #5 0x7f7fb0a900dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #6 0x7f7fb028201f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #7 0x7f7fb028ea8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #8 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #9 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #10 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #11 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #12 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #13 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #14 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #15 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #16 0x7f7fb0297e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #17 0x7f7fb0a930df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #18 0x7f7fb0aa50c7 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432
    #19 0x7f7f8c8419ad in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383
    #20 0x7f7f8c86a515 in xlsx_read_chart gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:3061
    #21 0x7f7fb0a8ef36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #22 0x7f7fb0a8f27e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #23 0x7f7fb0a900dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #24 0x7f7fb028201f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #25 0x7f7fb028ea8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #26 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #27 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #28 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #29 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #30 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #31 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #32 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #33 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #34 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #35 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #36 0x7f7fb0297e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #37 0x7f7fb0a930df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #38 0x7f7fb0aa50c7 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432
    #39 0x7f7f8c8419ad in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383
    #40 0x7f7f8c86dafc in xlsx_sheet_drawing gnumeric/gnumeric/plugins/excel/xlsx-read-drawing.c:3568
    #41 0x7f7fb0a8ef36 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658
    #42 0x7f7fb0a8f27e in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694
    #43 0x7f7fb0a900dc in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786
    #44 0x7f7fb028201f in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676
    #45 0x7f7fb028ea8d in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080
    #46 0x7f7fb028ddf5 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990
    #47 0x7f7fb028fa24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163
    #48 0x7f7fb0297e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #49 0x7f7fb0a930df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #50 0x7f7f8c8417b5 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358
    #51 0x7f7f8c88a0fd in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3996
    #52 0x7f7fb0a907de in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863
    #53 0x7f7fb0282d7b in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747
    #54 0x7f7fb028fe6b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191
    #55 0x7f7fb0297e1c in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849
    #56 0x7f7fb0a930df in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338
    #57 0x7f7f8c8417b5 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358
    #58 0x7f7f8c892c47 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5153
    #59 0x7f7fb15883af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282
    #60 0x7f7fb158e4fa in go_plugin_file_opener_open app/go-plugin-service.c:685
    #61 0x7f7fb1596550 in go_file_opener_open app/file.c:417
    #62 0x7f7fb24742df in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278
    #63 0x7f7fb2474779 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337
    #64 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715
    #65 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #66 0x7f7faaba47ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #67 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

0x7f7f8cb98df0 is located 0 bytes to the right of global variable 'styles' from 'xlsx-read.c' (0x7f7f8cb98d80) of size 112
SUMMARY: AddressSanitizer: global-buffer-overflow gnumeric/gnumeric/plugins/excel/xlsx-read.c:448 attr_enum

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-05-10 19:09:58 UTC 
Very good catch!

I fixed a handful of these.  Valgrind does not see them.

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.