GNOME Bugzilla – Bug 751659
Null pointer crash in expr.c:1476 on a fuzzed xls file
Last modified: 2015-07-01 02:00:42 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_006-expr.c.1476.xls $ ssconvert gnumeric_case_006-expr.c.1476.xls /tmp/out.gnumeric ==9186==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6eabbe52d0 bp 0x7ffd719519f0 sp 0x7ffd71950940 T0) #0 0x7f6eabbe52cf in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1476:19 #1 0x7f6eabc0c624 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3122:8 #2 0x7f6eabbd3944 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6 #3 0x7f6eabbd1e27 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22 #4 0x7f6eabb96e0d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2 #5 0x7f6eabbafb42 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2 #6 0x7f6eac476160 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4 #7 0x7f6eac476a70 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #8 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #9 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #10 0x7f6ea4f0478f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #11 0x437c58 in _start (apps/bin/ssconvert+0x437c58) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/expr.c:1476 gnm_expr_eval -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.
Take two: http://jutaky.com/fuzzing/gnumeric_case_006-2-expr.c.1476.xls ==31042==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc1801b3114 bp 0x7fff4e258d50 sp 0x7fff4e257ca0 T0) #0 0x7fc1801b3113 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1476:19 #1 0x7fc1801da104 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3122:8 #2 0x7fc1801a1754 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6 #3 0x7fc18019fc37 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22 #4 0x7fc180164f0d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2 #5 0x7fc18017dc82 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2 #6 0x7fc180a3b99a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4 #7 0x7fc180a3c2a0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #8 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #9 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #10 0x7fc1794d978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #11 0x437c58 in _start (apps/bin/ssconvert+0x437c58)
Unrelated, but fixed.