GNOME Bugzilla – Bug 752082
Out-of-bounds read in go-format.c:6321 on a fuzzed xls file
Last modified: 2015-07-08 13:02:12 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_003-go-format.c.6321.xls A lot of stuff in Valgrind as well but doesn't seem to crash on its own. $ ssconvert gnumeric_case_003-go-format.c.6321.xls /tmp/out.gnumeric ==14956==ERROR: AddressSanitizer: SEGV on unknown address 0x00147fff801f (pc 0x7f41032a586e bp 0x7fff9383dd50 sp 0x7fff9383da80 T0) #0 0x7f41032a586d in go_format_unref gnumeric/goffice/goffice/utils/go-format.c:6321:2 #1 0x7f41051c3ca5 in value_release gnumeric/gnumeric/src/value.c:564:3 #2 0x7f410477baa5 in free_values gnumeric/gnumeric/src/func.c:1841:4 #3 0x7f410477b4be in function_call_with_exprs gnumeric/gnumeric/src/func.c:2103:2 #4 0x7f41046b332f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9 #5 0x7f41046acabf in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1247:7 #6 0x7f41046e7816 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8 #7 0x7f410469b2dd in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6 #8 0x7f4104698ce7 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22 #9 0x7f4104646731 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2 #10 0x7f410466a7ea in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2 #11 0x7f41052512ab in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4 #12 0x7f4105251bb0 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #13 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9 #14 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9 #15 0x7f40fbd3078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #16 0x438a48 in _start (apps/bin/ssconvert+0x438a48) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV gnumeric/goffice/goffice/utils/go-format.c:6321 go_format_unref -- Juha Kylmänen
I cannot reproduce this one.
How about: http://jutaky.com/fuzzing/gnumeric_case_003-go-format.c.6321-2.xls http://jutaky.com/fuzzing/gnumeric_case_003-go-format.c.6321-3.xls
Nothing, but perhaps you could attach the first error from valgrind.
==13004== Conditional jump or move depends on uninitialised value(s) ==13004== at 0x19522F18: gnumeric_growth (functions.c:4319) ==13004== by 0x4F3F313: function_call_with_exprs (func.c:2101) ==13004== by 0x4F21E1D: gnm_expr_eval (expr.c:1453) ==13004== by 0x4F3E1BE: function_call_with_exprs (func.c:1932) ==13004== by 0x4F21E1D: gnm_expr_eval (expr.c:1453) ==13004== by 0x4F219C0: gnm_expr_eval (expr.c:1247) ==13004== by 0x4F29F98: gnm_expr_top_eval (expr.c:3124) ==13004== by 0x4F1F1D9: gnm_cell_eval_content (dependent.c:1665) ==13004== by 0x4F1F1D9: cell_dep_eval (dependent.c:1250) ==13004== by 0x4F1942A: dependent_eval (dependent.c:1755) ==13004== by 0x4F1942A: workbook_recalc (dependent.c:2869) ==13004== by 0x50B542A: workbook_view_new_from_input (workbook-view.c:1294) ==13004== by 0x50B55DB: workbook_view_new_from_uri (workbook-view.c:1337) ==13004== by 0x40491B: convert (ssconvert.c:720)
This problem ought ot have been fixed by commit 46dfb59593aeac65ab0be50b8746e66911f1ab3f. Can you please force a recompile in fn-stat?
I am such a git noob. Apparently I had managed to screw up something and despite git pull saying "up-to-date" not all my files had been updated and git pull silently skipped them. Anyways, I managed to solve the issue with the files and now I should have all the patches and this case is indeed duplicate and no longer crashes for me. *** This bug has been marked as a duplicate of bug 751970 ***