GNOME Bugzilla – Bug 750860
Null pointer crash in gog-object.c:2056 on a fuzzed xlsx file
Last modified: 2015-06-17 06:45:34 UTC
Null pointer crash in gog-object.c:2056 on a fuzzed xlsx file Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_3283_9138.xlsx $ ssconvert gnumeric_case_3283_9138.xlsx /tmp/out.gnumeric ==19052==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcdd845dbdb bp 0x7ffe6766b0b0 sp 0x7ffe6766af40 T0) #0 0x7fcdd845dbda in gog_object_find_role_by_name gnumeric/goffice/goffice/graph/gog-object.c:2056:26 #1 0x7fcdd845d978 in gog_object_get_child_by_name gnumeric/goffice/goffice/graph/gog-object.c:1307:3 #2 0x7fcdb5ce92fd in xlsx_get_trend_eq gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:1373:18 #3 0x7fcdb5cd5cf7 in xlsx_ser_trendline_disprsqr gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:1391:16 #4 0x7fcdd7758555 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #5 0x7fcdd77713dd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #6 0x7fcdd776c400 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #7 0x7fcdd6734b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #8 0x7fcdd674071f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #9 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #10 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #11 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #12 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #13 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #14 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #15 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #16 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #17 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #18 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #19 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #20 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #21 0x7fcdd6767684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #22 0x7fcdd7758c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #23 0x7fcdd77b272d in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432:8 #24 0x7fcdb5c4d3da in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8 #25 0x7fcdb5cb9ae6 in xlsx_read_chart gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:3067:3 #26 0x7fcdd7758555 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #27 0x7fcdd77713dd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #28 0x7fcdd776c400 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #29 0x7fcdd6734b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #30 0x7fcdd674071f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #31 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #32 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #33 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #34 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #35 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #36 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #37 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #38 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #39 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #40 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #41 0x7fcdd6767684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #42 0x7fcdd7758c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #43 0x7fcdd77b272d in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:432:8 #44 0x7fcdb5c4d3da in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8 #45 0x7fcdb5c8154e in xlsx_sheet_drawing gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:3574:3 #46 0x7fcdd7758555 in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3 #47 0x7fcdd77713dd in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5 #48 0x7fcdd776c400 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7 #49 0x7fcdd6734b60 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8676:6 #50 0x7fcdd674071f in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10080:9 #51 0x7fcdd673ebd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6 #52 0x7fcdd6743039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5 #53 0x7fcdd6767684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #54 0x7fcdd7758c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #55 0x7fcdb5c3ecd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13 #56 0x7fcdb5c45bdf in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3996:3 #57 0x7fcdd776db81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3 #58 0x7fcdd6737856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9 #59 0x7fcdd6743d3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2 #60 0x7fcdd6767684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2 #61 0x7fcdd7758c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #62 0x7fcdb5c3ecd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13 #63 0x7fcdb5c3d652 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5153:4 #64 0x7fcdd832cc80 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #65 0x7fcdd8340804 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #66 0x7fcdd834e018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #67 0x7fcdd9cd4f2a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #68 0x7fcdd9cd5b20 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #69 0x4e0f21 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #70 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9 #71 0x7fcdd276378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #72 0x437b98 in _start (apps/bin/ssconvert+0x437b98) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/graph/gog-object.c:2056 gog_object_find_role_by_name -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.