Bug 750810 – Segfault in ms-excel-read.c:3541 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750810 - Segfault in ms-excel-read.c:3541 on a fuzzed xls file


Summary:	Segfault in ms-excel-read.c:3541 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-11 20:21 UTC by jutaky
Modified:	2015-06-12 00:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-11 20:21:52 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_ms-excel-read.c.3541.xls

$ ssconvert gnumeric_case_ms-excel-read.c.3541.xls /tmp/out.gnumeric

==8542==ERROR: AddressSanitizer: SEGV on unknown address 0x6113d70fae20 (pc 0x7f9e2f0c8b79 bp 0x7fff2a662770 sp 0x7fff2a661f00 T0)
    #0 0x7f9e2f0c8b78 in gnm_xl_importer_free gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3541:8
    #1 0x7f9e2f06606c in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7355:2
    #2 0x7f9e2efb1c95 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #3 0x7f9e2efb3554 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #4 0x7f9e54a2f5e8 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #5 0x7f9e54a4ee4d in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #6 0x7f9e54a6365b in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #7 0x7f9e57adc297 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #8 0x7f9e57adce80 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #9 0x4e7171 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #10 0x4e49fc in main gnumeric/gnumeric/src/ssconvert.c:903:9
    #11 0x7f9e4e99778f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #12 0x438988 in _start (apps/bin/ssconvert+0x438988)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3541 gnm_xl_importer_free

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-12 00:24:58 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.