Bug 751988 – Segfault in sheet.c:2064 on a fuzzed .xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751988 - Segfault in sheet.c:2064 on a fuzzed .xls file


Summary:	Segfault in sheet.c:2064 on a fuzzed .xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-05 18:12 UTC by jutaky
Modified:	2015-07-07 00:17 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-05 18:12:47 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_011-sheet.c.2064.xls

$ ssconvert gnumeric_case_011-sheet.c.2064.xls /tmp/out.gnumeric

==28717==ERROR: AddressSanitizer: SEGV on unknown address 0x000c7fff8000 (pc 0x7f1a64a38af8 bp 0x7fffcd53aa10 sp 0x7fffcd53a720 T0)
    #0 0x7f1a64a38af7 in sheet_cell_get gnumeric/gnumeric/src/sheet.c:2064:2
    #1 0x7f1a3e15aaa8 in find_cells_that_match gnumeric/gnumeric/plugins/fn-database/functions.c:112:10
    #2 0x7f1a3e1593f9 in database_find_values gnumeric/gnumeric/plugins/fn-database/functions.c:169:10
    #3 0x7f1a3e158517 in database_float_range_function gnumeric/gnumeric/plugins/fn-database/functions.c:235:9
    #4 0x7f1a3e155773 in gnumeric_dmin gnumeric/gnumeric/plugins/fn-database/functions.c:522:9
    #5 0x7f1a646152ee in function_call_with_exprs gnumeric/gnumeric/src/func.c:2101:9
    #6 0x7f1a6458385d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #7 0x7f1a3e377677 in gnumeric_index gnumeric/gnumeric/plugins/fn-lookup/functions.c:1384:6
    #8 0x7f1a6460eb12 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #9 0x7f1a6458385d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #10 0x7f1a645ab1b4 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #11 0x7f1a64572664 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #12 0x7f1a64570b47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #13 0x7f1a64535e1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #14 0x7f1a6454eb92 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #15 0x7f1a64e0cb5a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #16 0x7f1a64e0d460 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #17 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9
    #18 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #19 0x7f1a5d8aa78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #20 0x437c58 in _start (apps/bin/ssconvert+0x437c58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/sheet.c:2064 sheet_cell_get

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-07-06 05:26:18 UTC

Doesn't crash for me, just valgrind reports an invalid read issue:

==7986== Invalid read of size 4
==7986==    at 0x1621E2C9: find_cells_that_match (functions.c:108)
==7986==    by 0x1621E2C9: database_find_values (functions.c:169)
==7986==    by 0x1621E6F0: database_float_range_function.isra.1.constprop.5 (functions.c:235)
==7986==    by 0x1621E872: gnumeric_dmin (functions.c:522)
==7986==    by 0x4EF0EB4: function_call_with_exprs (func.c:2101)
==7986==    by 0x4EE84BC: gnm_expr_eval (expr.c:1453)
==7986==    by 0x1601590A: gnumeric_index (functions.c:1384)
==7986==    by 0x4EF0A1E: function_call_with_exprs (func.c:1879)
==7986==    by 0x4EE84BC: gnm_expr_eval (expr.c:1453)
==7986==    by 0x4EE8E3E: gnm_expr_top_eval (expr.c:3124)
==7986==    by 0x4EDEDE1: gnm_cell_eval_content (dependent.c:1665)
==7986==    by 0x4EDEDE1: cell_dep_eval (dependent.c:1250)
==7986==    by 0x4EDEF7A: dependent_eval (dependent.c:1755)
==7986==    by 0x4EE3148: workbook_recalc (dependent.c:2869)
==7986==  Address 0x16427824 is 20 bytes after a block of size 32 alloc'd
==7986==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7986==    by 0x812D799: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==7986==    by 0x81446AF: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==7986==    by 0x4F8DCB9: value_new_array_non_init (value.c:423)
==7986==    by 0x4F8DDB7: value_new_array_empty (value.c:450)
==7986==    by 0x4EE403D: bin_array_iter_a (expr.c:1045)
==7986==    by 0x4EE8A82: gnm_expr_eval (expr.c:1315)
==7986==    by 0x4EF0934: function_call_with_exprs (func.c:1906)
==7986==    by 0x4EE84BC: gnm_expr_eval (expr.c:1453)
==7986==    by 0x1601590A: gnumeric_index (functions.c:1384)
==7986==    by 0x4EF0A1E: function_call_with_exprs (func.c:1879)
==7986==    by 0x4EE84BC: gnm_expr_eval (expr.c:1453)

Comment 2 Morten Welinder 2015-07-07 00:17:22 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.