GNOME Bugzilla – Bug 749270
Heap-buffer overread in glib/gconvert.c on a fuzzed xls file
Last modified: 2015-05-13 00:13:54 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_18292_37256.xls $ ssconvert gnumeric_case_18292_37256.xls /tmp/out.gnumeric ==19354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000451fc at pc 0x7f384ffe5ee2 bp 0x7ffda7f8f140 sp 0x7ffda7f8f100 READ of size 47 at 0x6040000451fc thread T0 #0 0x7f384ffe5ee1 in iconv (/usr/lib/libasan.so.1+0x37ee1) #1 0x7f3848218fed in g_iconv gnumeric/glib/glib/gconvert.c:279 #2 0x7f3829cbe8d6 in excel_get_chars gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1027 #3 0x7f3829cbef9f in excel_get_text gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1082 #4 0x7f3829cbf2b2 in excel_get_text_fixme gnumeric/gnumeric/plugins/excel/ms-excel-read.c:1109 #5 0x7f3829ced242 in excel_read_DV gnumeric/gnumeric/plugins/excel/ms-excel-read.c:5558 #6 0x7f3829cfb594 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6829 #7 0x7f3829cfda47 in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7077 #8 0x7f3829cfed5f in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7183 #9 0x7f3829c98648 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #10 0x7f3829c98f27 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #11 0x7f384e62c3af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #12 0x7f384e6324fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #13 0x7f384e63a550 in go_file_opener_open app/file.c:417 #14 0x7f384f518d6f in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #15 0x7f384f519209 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #16 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #17 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #18 0x7f3847c487ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #19 0x4040f8 in _start (apps/bin/ssconvert+0x4040f8) 0x6040000451fc is located 0 bytes to the right of 44-byte region [0x6040000451d0,0x6040000451fc) allocated by thread T0 here: #0 0x7f38500057a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x7f3848243b7f in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7f3848243e71 in g_malloc_n gnumeric/glib/glib/gmem.c:336 #3 0x7f3829c9db58 in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:491 #4 0x7f3829cfb8cc in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6610 #5 0x7f3829cfda47 in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7077 #6 0x7f3829cfed5f in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7183 #7 0x7f3829c98648 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193 #8 0x7f3829c98f27 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273 #9 0x7f384e62c3af in go_plugin_loader_module_func_file_open app/go-plugin-loader-module.c:282 #10 0x7f384e6324fa in go_plugin_file_opener_open app/go-plugin-service.c:685 #11 0x7f384e63a550 in go_file_opener_open app/file.c:417 #12 0x7f384f518d6f in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278 #13 0x7f384f519209 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337 #14 0x4080cb in convert gnumeric/gnumeric/src/ssconvert.c:715 #15 0x409439 in main gnumeric/gnumeric/src/ssconvert.c:903 #16 0x7f3847c487ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 iconv Similarities in the trace to case #749118. If it matters. -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.