GNOME Bugzilla – Bug 751989
Heap-buffer overread in ms-excel-read.c:7065 on a fuzzed xls file
Last modified: 2015-07-06 13:55:21 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_012-ms-excel-read.c.7065.xls $ ssconvert gnumeric_case_012-ms-excel-read.c.7065.xls /tmp/out.gnumeric ==32665==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001b86b5 at pc 0x7fa90e55479f bp 0x7fff49b30b50 sp 0x7fff49b30b48 READ of size 1 at 0x6020001b86b5 thread T0 #0 0x7fa90e55479e in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7065:18 #1 0x7fa90e55022c in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7201:3 #2 0x7fa90e4e4241 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #3 0x7fa90e4e5c94 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #4 0x7fa93327af20 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #5 0x7fa93328eaa4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #6 0x7fa93329c2b8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #7 0x7fa934c1b874 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #8 0x7fa934c1c460 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #9 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #10 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #11 0x7fa92d6b978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #12 0x437c58 in _start (apps/bin/ssconvert+0x437c58) 0x6020001b86b5 is located 0 bytes to the right of 5-byte region [0x6020001b86b0,0x6020001b86b5) allocated by thread T0 here: #0 0x4bec22 in __interceptor_malloc (apps/bin/ssconvert+0x4bec22) #1 0x7fa92e0c4649 in g_malloc gnumeric/glib/glib/gmem.c:97 #2 0x7fa93272922f in gsf_input_read gnumeric/libgsf/gsf/gsf-input.c:375:8 #3 0x7fa90e4ea5ab in ms_biff_query_next gnumeric/gnumeric/plugins/excel/ms-biff.c:443:23 #4 0x7fa90e54fe90 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7196:6 #5 0x7fa90e4e4241 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4 #6 0x7fa90e4e5c94 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2 #7 0x7fa93327af20 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #8 0x7fa93328eaa4 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #9 0x7fa93329c2b8 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #10 0x7fa934c1b874 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #11 0x7fa934c1c460 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #12 0x4e1031 in convert gnumeric/gnumeric/src/ssconvert.c:721:9 #13 0x4ded93 in main gnumeric/gnumeric/src/ssconvert.c:913:9 #14 0x7fa92d6b978f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7065 excel_read_BOF -- Juha Kylmänen
I'm unable to reproduce with either valgrind or gdb. Anyway, we read data without checking the length on that line. Hopefully fixed, please check. This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.
Appears to be fine now.