GNOME Bugzilla – Bug 749184
Heap-buffer overread in ms-excel-read.c on a fuzzed xls file
Last modified: 2015-05-10 21:13:56 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_2339_168173.xls $ ssconvert gnumeric_case_2339_168173.xls /tmp/out.gnumeric ==13791==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b0ea0 at pc 0x7f64be7dc6b0 bp 0x7ffd82e88630 sp 0x7ffd82e88620 READ of size 1 at 0x6020001b0ea0 thread T0 #0 0x7f64be7dc6af in excel_get_chars gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1017 #1 0x7f64be874fd2 in ms_read_TXO gnumeric/gnumeric/plugins/excel/ms-obj.c:441 #2 0x7f64be7ccd77 in ms_escher_read_ClientTextbox gnumeric/gnumeric/plugins/excel/ms-escher.c:2019 #3 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #4 0x7f64be7c7f53 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:555 #5 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #6 0x7f64be7cc83e in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1989 #7 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #8 0x7f64be7cc892 in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1994 #9 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #10 0x7f64be7ceb09 in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2224 #11 0x7f64be819011 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6781 #12 0x7f64be81b99e in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7075 #13 0x7f64be81ccb6 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7181 #14 0x7f64be7b6648 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #15 0x7f64be7b6f27 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #16 0x7f64e36273af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #17 0x7f64e362d4fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #18 0x7f64e3635550 in go_file_opener_open app/file.c:417 #19 0x7f64e45132df in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #20 0x7f64e4513779 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #21 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #22 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #23 0x7f64dcc437ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #24 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8) 0x6020001b0ea0 is located 0 bytes to the right of 16-byte region [0x6020001b0e90,0x6020001b0ea0) allocated by thread T0 here: #0 0x7f64e4fff7a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x7f64dd23eb7f in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7f64dd23ee71 in g_malloc_n gnumeric/glib/glib/gmem.c:336 #3 0x7f64be7bb3b6 in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:459 #4 0x7f64be874d96 in ms_read_TXO gnumeric/gnumeric/plugins/excel/ms-obj.c:435 #5 0x7f64be7ccd77 in ms_escher_read_ClientTextbox gnumeric/gnumeric/plugins/excel/ms-escher.c:2019 #6 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #7 0x7f64be7c7f53 in ms_escher_read_SpContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:555 #8 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #9 0x7f64be7cc83e in ms_escher_read_SpgrContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1989 #10 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #11 0x7f64be7cc892 in ms_escher_read_DgContainer gnumeric/gnumeric/plugins/excel/ms-escher.c:1994 #12 0x7f64be7ce2ea in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2157 #13 0x7f64be7ceb09 in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2224 #14 0x7f64be819011 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6781 #15 0x7f64be81b99e in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7075 #16 0x7f64be81ccb6 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7181 #17 0x7f64be7b6648 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #18 0x7f64be7b6f27 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #19 0x7f64e36273af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #20 0x7f64e362d4fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #21 0x7f64e3635550 in go_file_opener_open app/file.c:417 #22 0x7f64e45132df in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #23 0x7f64e4513779 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #24 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #25 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #26 0x7f64dcc437ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1017 excel_get_chars -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.