GNOME Bugzilla – Bug 751390
Heap-buffer-overflow in expr.c:1065 on a fuzzed xls file
Last modified: 2015-06-28 20:39:49 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_002-expr.c.1065.xls $ ssconvert gnumeric_case_002-expr.c.1065.xls /tmp/out.gnumeric ==10114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000018e88 at pc 0x7f07f93c5d7e bp 0x7ffe252adf10 sp 0x7ffe252adf08 WRITE of size 8 at 0x61b000018e88 thread T0 #0 0x7f07f93c5d7d in cb_implicit_iter_b_to_scalar_a gnumeric/gnumeric/src/expr.c:1065:2 #1 0x7f07f9bd2ee5 in cb_wrapper_foreach_cell_in_area gnumeric/gnumeric/src/value-sheet.c:260:11 #2 0x7f07f9839224 in sheet_foreach_cell_in_range gnumeric/gnumeric/src/sheet.c:4029:15 #3 0x7f07f9bdddfe in workbook_foreach_cell_in_range gnumeric/gnumeric/src/workbook.c:591:9 #4 0x7f07f9bd1b7b in value_area_foreach gnumeric/gnumeric/src/value-sheet.c:302:10 #5 0x7f07f9392397 in bin_array_iter_b gnumeric/gnumeric/src/expr.c:1087:2 #6 0x7f07f938b3aa in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1425:12 #7 0x7f07f94189a6 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1906:20 #8 0x7f07f938ba4d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9 #9 0x7f07f93b3584 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3121:8 #10 0x7f07f937a854 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6 #11 0x7f07f9378d37 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22 #12 0x7f07f933dd1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2 #13 0x7f07f9356a52 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2 #14 0x7f07f9c1da20 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4 #15 0x7f07f9c1e330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #16 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #17 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #18 0x7f07f26a978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #19 0x437c58 in _start (apps/bin/ssconvert+0x437c58) 0x61b000018e88 is located 0 bytes to the right of 1544-byte region [0x61b000018880,0x61b000018e88) allocated by thread T0 here: #0 0x4bec22 in __interceptor_malloc (apps/bin/ssconvert+0x4bec22) #1 0x7f07f30b4339 in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7f07f93922c1 in bin_array_iter_b gnumeric/gnumeric/src/expr.c:1084:18 #3 0x7f07f938b3aa in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1425:12 #4 0x7f07f94189a6 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1906:20 #5 0x7f07f938ba4d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9 #6 0x7f07f93b3584 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3121:8 #7 0x7f07f937a854 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6 #8 0x7f07f9378d37 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22 #9 0x7f07f933dd1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2 #10 0x7f07f9356a52 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2 #11 0x7f07f9c1da20 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4 #12 0x7f07f9c1e330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #13 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #14 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #15 0x7f07f26a978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/src/expr.c:1065 cb_implicit_iter_b_to_scalar_a -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.