Bug 752021 – Out-of-bounds read in dependent.c:514 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752021 - Out-of-bounds read in dependent.c:514 on a fuzzed xls file


Summary:	Out-of-bounds read in dependent.c:514 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-06 14:20 UTC by jutaky
Modified:	2015-07-07 00:25 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-06 14:20:13 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-dependent.c.514.xls

$ ssconvert gnumeric_case_001-dependent.c.514.xls /tmp/out.gnumeric

==21488==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7ff7d16571fe bp 0x7ffd679483b0 sp 0x7ffd679481a0 T0)
    #0 0x7ff7d16571fd in dependent_queue_recalc_main gnumeric/gnumeric/src/dependent.c:514:7
    #1 0x7ff7d161f17b in dependent_queue_recalc_list gnumeric/gnumeric/src/dependent.c:545:2
    #2 0x7ff7d161eccf in dependent_queue_recalc gnumeric/gnumeric/src/dependent.c:560:3
    #3 0x7ff7d17153fc in gnumeric_table gnumeric/gnumeric/src/func-builtin.c:255:4
    #4 0x7ff7d1700b12 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #5 0x7ff7d167585d in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #6 0x7ff7d16772d4 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1525:7
    #7 0x7ff7d169d1b4 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #8 0x7ff7d1664664 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #9 0x7ff7d1662b47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #10 0x7ff7d1627e1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #11 0x7ff7d1627877 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #12 0x7ff7d1677b94 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1553:3
    #13 0x7ff7d169d1b4 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #14 0x7ff7d1664664 in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #15 0x7ff7d1662b47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #16 0x7ff7d1627e1d in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #17 0x7ff7d1640b92 in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #18 0x7ff7d1efeaea in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #19 0x7ff7d1eff3f0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #20 0x4e0f21 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #21 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9
    #22 0x7ff7ca99a78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #23 0x437b98 in _start (apps/bin/ssconvert+0x437b98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/dependent.c:514 dependent_queue_recalc_main

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-07-07 00:25:18 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.


I don't have a whole lot of faith in the TABLE code, but this failure was
easy to fix.