Bug 751392 – Database functions fail when given array argument

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751392 - Database functions fail when given array argument


Summary:	Database functions fail when given array argument


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	General
Version:	git master
Hardware:	Other All

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-23 15:53 UTC by jutaky
Modified:	2015-06-23 17:41 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-23 15:53:07 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_004-sheet.c.2064.xls

$ ssconvert gnumeric_case_004-sheet.c.2064.xls /tmp/out.gnumeric

==11057==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bfff8000 (pc 0x7f22766e7008 bp 0x7ffc59bc47d0 sp 0x7ffc59bc44e0 T0)
    #0 0x7f22766e7007 in sheet_cell_get gnumeric/gnumeric/src/sheet.c:2064:2
    #1 0x7f2253194dd8 in find_cells_that_match gnumeric/gnumeric/plugins/fn-database/functions.c:112:10
    #2 0x7f22531933f0 in database_find_values gnumeric/gnumeric/plugins/fn-database/functions.c:169:10
    #3 0x7f2253196762 in database_value_range_function gnumeric/gnumeric/plugins/fn-database/functions.c:297:9
    #4 0x7f225318f13e in gnumeric_dget gnumeric/gnumeric/plugins/fn-database/functions.c:456:9
    #5 0x7f22762c02ec in function_call_with_exprs gnumeric/gnumeric/src/func.c:2101:9
    #6 0x7f227622da4d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #7 0x7f227622f325 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1523:7
    #8 0x7f2276255584 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3121:8
    #9 0x7f227621c854 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #10 0x7f227621ad37 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #11 0x7f22761dfd1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #12 0x7f22761f8a52 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #13 0x7f2276abfa20 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #14 0x7f2276ac0330 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #15 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #16 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #17 0x7f226f54b78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #18 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/sheet.c:2064 sheet_cell_get

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-23 17:25:51 UTC

database_value_range_function expects a range, but gets an array.

Comment 2 Morten Welinder 2015-06-23 17:41:23 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.