After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 752124 - Use-after-free in dependent.c:977 on a fuzzed xls file
Use-after-free in dependent.c:977 on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-07-08 13:21 UTC by jutaky
Modified: 2015-07-09 14:46 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2015-07-08 13:21:03 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-dependent.c.977.xls

$ ssconvert gnumeric_case_001-dependent.c.977.xls /tmp/out.gnumeric

==20691==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0006c1598 at pc 0x7f18c589d88d bp 0x7ffde65a24d0 sp 0x7ffde65a24c8
READ of size 8 at 0x60c0006c1598 thread T0
    #0 0x7f18c589d88c in link_range_dep gnumeric/gnumeric/src/dependent.c:977:7
    #1 0x7f18c589c114 in link_unlink_range_dep gnumeric/gnumeric/src/dependent.c:1035:3
    #2 0x7f18c58507a3 in link_unlink_cellrange_dep gnumeric/gnumeric/src/dependent.c:1076:3
    #3 0x7f18c585264a in link_unlink_expr_dep gnumeric/gnumeric/src/dependent.c:1102:11
    #4 0x7f18c5848a9a in dependent_link gnumeric/gnumeric/src/dependent.c:1537:3
    #5 0x7f18c566d49e in gnm_cell_set_expr_and_value gnumeric/gnumeric/src/cell.c:194:3
    #6 0x7f18a09a1ba4 in excel_read_FORMULA gnumeric/gnumeric/plugins/excel/ms-excel-read.c:3037:4
    #7 0x7f18a098c451 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6681:25
    #8 0x7f18a09223f3 in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7113:4
    #9 0x7f18a091a603 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7204:3
    #10 0x7f18a088fbd7 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:170:4
    #11 0x7f18a08916e4 in excel_file_open gnumeric/gnumeric/plugins/excel/boot.c:273:2
    #12 0x7f18c4a038aa in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #13 0x7f18c4a08cb7 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #14 0x7f18c4a0c4a6 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #15 0x7f18c6461145 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #16 0x7f18c6461d30 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #17 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9
    #18 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #19 0x7f18bfd3f78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #20 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

0x60c0006c1598 is located 88 bytes inside of 120-byte region [0x60c0006c1540,0x60c0006c15b8)
freed by thread T0 here:
    #0 0x4bf732 in __interceptor_free (apps/bin/ssconvert+0x4bf732)
    #1 0x7f18c07757e6 in g_utf8_collate_key gnumeric/glib/glib/gunicollate.c:408

previously allocated by thread T0 here:
    #0 0x4bfa12 in __interceptor_malloc (apps/bin/ssconvert+0x4bfa12)
    #1 0x7f18c074a649 in g_malloc gnumeric/glib/glib/gmem.c:97

SUMMARY: AddressSanitizer: heap-use-after-free gnumeric/gnumeric/src/dependent.c:977 link_range_dep

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-07-09 14:46:02 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.