After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 749185 - Global buffer overread in excel/ms-chart.c on an ods to xls conversion
Global buffer overread in excel/ms-chart.c on an ods to xls conversion
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2015-05-10 08:49 UTC by jutaky
Modified: 2015-05-10 19:24 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-05-10 08:49:53 UTC 
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_24118_70910.2xls.ods

$ ssconvert gnumeric_case_24118_70910.2xls.ods /tmp/out.xls

==27398==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fc1880c1fdc at pc 0x7fc187fbcd7c bp 0x7ffcd30b8830 sp 0x7ffcd30b8820
READ of size 4 at 0x7fc1880c1fdc thread T0
    #0 0x7fc187fbcd7b in chart_write_MARKERFORMAT gnumeric/gnumeric/plugins/excel/ms-chart.c:4096
    #1 0x7fc187fc0e73 in chart_write_style gnumeric/gnumeric/plugins/excel/ms-chart.c:4445
    #2 0x7fc187fc4ac9 in chart_write_series gnumeric/gnumeric/plugins/excel/ms-chart.c:4722
    #3 0x7fc187fd2b87 in ms_excel_chart_write gnumeric/gnumeric/plugins/excel/ms-chart.c:5860
    #4 0x7fc187f5a350 in excel_write_chart_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:4348
    #5 0x7fc187f60951 in excel_write_obj_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5034
    #6 0x7fc187f66bf0 in excel_write_objs_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5605
    #7 0x7fc187f6833a in excel_write_sheet gnumeric/gnumeric/plugins/excel/ms-excel-write.c:5693
    #8 0x7fc187f7211e in excel_write_workbook gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6529
    #9 0x7fc187f72a42 in excel_write_v8 gnumeric/gnumeric/plugins/excel/ms-excel-write.c:6582
    #10 0x7fc187ecd253 in excel_save gnumeric/gnumeric/plugins/excel/boot.c:304
    #11 0x7fc187ecd6fb in excel_biff8_file_save gnumeric/gnumeric/plugins/excel/boot.c:350
    #12 0x7fc1a0e7e0f8 in go_plugin_loader_module_func_file_save app/go-plugin-loader-module.c:366
    #13 0x7fc1a0e8550a in go_plugin_file_saver_save app/go-plugin-service.c:948
    #14 0x7fc1a0e8e3ec in go_file_saver_save app/file.c:848
    #15 0x7fc1a1d67801 in wbv_save_to_output gnumeric/gnumeric/src/workbook-view.c:1059
    #16 0x7fc1a1d67cbb in wb_view_save_to_uri gnumeric/gnumeric/src/workbook-view.c:1093
    #17 0x7fc1a1d6822d in wb_view_save_as gnumeric/gnumeric/src/workbook-view.c:1129
    #18 0x408c24 in convert gnumeric/gnumeric/src/ssconvert.c:831
    #19 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903
    #20 0x7fc19a4997ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #21 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8)

0x7fc1880c1fdc is located 0 bytes to the right of global variable 'shape_map' from 'ms-chart.c' (0x7fc1880c1fa0) of size 60
0x7fc1880c1fdc is located 36 bytes to the left of global variable '__FUNCTION__' from 'ms-chart.c' (0x7fc1880c2000) of size 21
  '__FUNCTION__' is ascii string 'chart_write_position'
SUMMARY: AddressSanitizer: global-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-chart.c:4096 chart_write_MARKERFORMAT

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-05-10 19:23:43 UTC 
A translation table was missing an item.
Comment 2 Morten Welinder 2015-05-10 19:24:05 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.