Bug 751970 – Out-of-bounds read in go-format.c:6321 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751970 - Out-of-bounds read in go-format.c:6321 on a fuzzed xls file


Summary:	Out-of-bounds read in go-format.c:6321 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Duplicates:	752082 (view as bug list)
Depends on:
Blocks:

Reported:	2015-07-05 07:03 UTC by jutaky
Modified:	2015-07-08 13:02 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-05 07:03:03 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_010-go-format.c.6321.xls

$ ssconvert gnumeric_case_010-go-format.c.6321.xls /tmp/out.gnumeric

==8371==ERROR: AddressSanitizer: SEGV on unknown address 0x00073fff8001 (pc 0x7faa803869a5 bp 0x7ffc06510890 sp 0x7ffc06510680 T0)
    #0 0x7faa803869a4 in go_format_unref gnumeric/goffice/goffice/utils/go-format.c:6321:2
    #1 0x7faa8161dd4b in value_release gnumeric/gnumeric/src/value.c:564:3
    #2 0x7faa80c4ea67 in gnm_cell_cleanout gnumeric/gnumeric/src/cell.c:62:2
    #3 0x7faa81305fcf in cell_free gnumeric/gnumeric/src/sheet.c:4257:2
    #4 0x7faa812f4f99 in cb_remove_allcells gnumeric/gnumeric/src/sheet.c:4495:2
    #5 0x7faa7ab1f9af in g_hash_table_foreach gnumeric/glib/glib/ghash.c:1607
    #6 0x7faa812c13c6 in sheet_cell_foreach gnumeric/gnumeric/src/sheet.c:4089:2
    #7 0x7faa812f431c in sheet_destroy_contents gnumeric/gnumeric/src/sheet.c:4549:2
    #8 0x7faa8166ea49 in workbook_dispose gnumeric/gnumeric/src/workbook.c:169:3
    #9 0x7faa7b03ca54 in g_object_unref gnumeric/glib/gobject/gobject.c:3137
    #10 0x4e2be8 in convert gnumeric/gnumeric/src/ssconvert.c:841:3
    #11 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #12 0x7faa7a12a78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #13 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/utils/go-format.c:6321 go_format_unref

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-07-05 17:24:07 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.

Comment 2 jutaky 2015-07-08 13:02:12 UTC

*** Bug 752082 has been marked as a duplicate of this bug. ***