Bug 751971 – Heap-buffer-overflow in sheet-object-graph.c:857 on a fuzzed .gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751971 - Heap-buffer-overflow in sheet-object-graph.c:857 on a fuzzed .gnumeric file


Summary:	Heap-buffer-overflow in sheet-object-graph.c:857 on a fuzzed .gnumeric file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-05 07:18 UTC by jutaky
Modified:	2015-07-05 16:06 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-05 07:18:41 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-sheet-object-graph.c.857.gnumeric

$ ssconvert gnumeric_case_002-sheet-object-graph.c.857.gnumeric /tmp/out.gnumeric

==14502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100003dfe0 at pc 0x7f4c56f9b518 bp 0x7ffdb09ffc30 sp 0x7ffdb09ffc28
WRITE of size 8 at 0x61100003dfe0 thread T0
    #0 0x7f4c56f9b517 in vector_end gnumeric/gnumeric/src/sheet-object-graph.c:857:2
    #1 0x7f4c54c1f1d1 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #2 0x7f4c53be8a76 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #3 0x7f4c53bf4f5a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #4 0x7f4c53befdf3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #5 0x7f4c53bf4259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #6 0x7f4c53befdf3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #7 0x7f4c53bf4259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #8 0x7f4c53befdf3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #9 0x7f4c53bf4259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #10 0x7f4c53befdf3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #11 0x7f4c53bf4259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #12 0x7f4c53befdf3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #13 0x7f4c53bf4259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #14 0x7f4c53befdf3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #15 0x7f4c53bf4259 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #16 0x7f4c53c188a4 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10857:2
    #17 0x7f4c54c0a233 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #18 0x7f4c5726f4aa in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3410:7
    #19 0x7f4c57275210 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3539:7
    #20 0x7f4c55809f74 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #21 0x7f4c557f72b8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #22 0x7f4c57176804 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #23 0x7f4c571773f0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #24 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #25 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #26 0x7f4c4fc1478f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #27 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/src/sheet-object-graph.c:857 vector_end

--
Juha Kylmänen

ps. In Valgrind against non-debug stable build:

==12290== Warning: set address range perms: large range [0x3a055040, 0x7c60f684) (undefined)
==12290== Warning: set address range perms: large range [0x3a055028, 0x7c60f69c) (noaccess)
==12290== Invalid write of size 8
==12290==    at 0x4F6E473: ??? (in /usr/lib/libspreadsheet-1.12.20.so)
==12290==    by 0x5781E2D: ??? (in /usr/lib/libgsf-1.so.114.0.33)
==12290==    by 0x6E0702C: ??? (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0D62A: xmlParseElement (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0CB4A: xmlParseContent (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0D432: xmlParseElement (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0CB4A: xmlParseContent (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0D432: xmlParseElement (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0CB4A: xmlParseContent (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0D432: xmlParseElement (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0CB4A: xmlParseContent (in /usr/lib/libxml2.so.2.9.2)
==12290==    by 0x6E0D432: xmlParseElement (in /usr/lib/libxml2.so.2.9.2)
==12290==  Address 0x19db50e0 is 208 bytes inside an unallocated block of size 1,818,576 in arena "client"
==12290==

Comment 1 Jean Bréfort 2015-07-05 16:06:18 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.