GNOME Bugzilla – Bug 751249
Heap-buffer overread in ms-escher.c:161 on a fuzzed xls file
Last modified: 2015-07-04 09:15:11 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_001-ms-escher.c.161.xls (50 bytes!) $ ssconvert gnumeric_case_001-ms-escher.c.161.xls /tmp/out.gnumeric ==22203==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b867d at pc 0x0000004a9443 bp 0x7ffe7abf59b0 sp 0x7ffe7abf5168 READ of size 4044484831 at 0x6020001b867d thread T0 #0 0x4a9442 in memcpy (apps/bin/ssconvert+0x4a9442) #1 0x7fbcb9686f55 in g_memdup gnumeric/glib/glib/gstrfuncs.c:385 #2 0x7fbc99c16d75 in ms_escher_blip_new gnumeric/gnumeric/plugins/excel/ms-escher.c:161:22 #3 0x7fbc99c164ae in ms_escher_read_Blip gnumeric/gnumeric/plugins/excel/ms-escher.c:516:11 #4 0x7fbc99bf6b9c in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2158:4 #5 0x7fbc99bf3bd1 in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2233:2 #6 0x7fbc99c3e580 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7303:4 #7 0x7fbc99bd0441 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #8 0x7fbc99bd1e94 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #9 0x7fbcbe82ae30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #10 0x7fbcbe83e9b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #11 0x7fbcbe84c1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #12 0x7fbcc01d634a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #13 0x7fbcc01d6f40 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #14 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #15 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #16 0x7fbcb8c6378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #17 0x437c58 in _start (apps/bin/ssconvert+0x437c58) 0x6020001b867d is located 0 bytes to the right of 13-byte region [0x6020001b8670,0x6020001b867d) allocated by thread T0 here: #0 0x4bec22 in __interceptor_malloc (apps/bin/ssconvert+0x4bec22) #1 0x7fbcb966e339 in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7fbcbdcd2f4f in gsf_input_read gnumeric/libgsf/gsf/gsf-input.c:375:8 #3 0x7fbc99bd6792 in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:443:23 #4 0x7fbc99c3cda0 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7185:9 #5 0x7fbc99bd0441 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #6 0x7fbc99bd1e94 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #7 0x7fbcbe82ae30 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #8 0x7fbcbe83e9b4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #9 0x7fbcbe84c1c8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #10 0x7fbcc01d634a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #11 0x7fbcc01d6f40 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #12 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #13 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #14 0x7fbcb8c6378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcpy -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.