After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 752181 - Null pointer crash in value.c:636 on a fuzzed xls file
Null pointer crash in value.c:636 on a fuzzed xls file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal critical
: ---
Assigned To: Jody Goldberg
Jody Goldberg
http://jutaky.com/fuzzing/gnumeric_ca...
Depends on:
Blocks:
 
 
Reported: 2015-07-09 15:07 UTC by jutaky
Modified: 2015-09-26 00:24 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2015-07-09 15:07:33 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_004-value.c.636.xls

$ ssconvert gnumeric_case_004-value.c.636.xls /tmp/out.gnumeric

==21363==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f85bcf9806d bp 0x7ffdcf808ad0 sp 0x7ffdcf808680 T0)
    #0 0x7f85bcf9806c in value_dup gnumeric/gnumeric/src/value.c:636:10
    #1 0x7f85bcf996ce in value_dup gnumeric/gnumeric/src/value.c:672:25
    #2 0x7f859563f31f in gnumeric_transpose gnumeric/gnumeric/plugins/fn-lookup/functions.c:1804:30
    #3 0x7f85bc54e45b in function_call_with_exprs gnumeric/gnumeric/src/func.c:2101:9
    #4 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #5 0x7f85bc5468e3 in function_call_with_exprs gnumeric/gnumeric/src/func.c:1906:20
    #6 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #7 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #8 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #9 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #10 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #11 0x7f85bc419020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #12 0x7f85bc554d9a in cb_iterate_cellrange gnumeric/gnumeric/src/func.c:2200:2
    #13 0x7f85bcb11e6f in sheet_foreach_cell_in_range gnumeric/gnumeric/src/sheet.c:4002:12
    #14 0x7f85bcfd45ae in workbook_foreach_cell_in_range gnumeric/gnumeric/src/workbook.c:591:9
    #15 0x7f85bc553c63 in function_iterate_do_value gnumeric/gnumeric/src/func.c:2265:9
    #16 0x7f85bc5523c2 in function_iterate_argument_values gnumeric/gnumeric/src/func.c:2372:12
    #17 0x7f85bc297409 in collect_floats gnumeric/gnumeric/src/collect.c:495:11
    #18 0x7f85bc29e3e2 in float_range_function gnumeric/gnumeric/src/collect.c:626:9
    #19 0x7f85979b8278 in gnumeric_max gnumeric/gnumeric/plugins/fn-stat/functions.c:915:9
    #20 0x7f85bc5453fa in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #21 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #22 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #23 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #24 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #25 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #26 0x7f85bc419020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #27 0x7f85bc55f3be in gnumeric_table gnumeric/gnumeric/src/func-builtin.c:221:4
    #28 0x7f85bc5453fa in function_call_with_exprs gnumeric/gnumeric/src/func.c:1879:10
    #29 0x7f85bc48638f in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1453:9
    #30 0x7f85bc4888aa in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1525:7
    #31 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #32 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #33 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #34 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #35 0x7f85bc419020 in gnm_cell_eval gnumeric/gnumeric/src/dependent.c:1769:3
    #36 0x7f85bc489592 in gnm_expr_eval gnumeric/gnumeric/src/expr.c:1553:3
    #37 0x7f85bc4ba876 in gnm_expr_top_eval gnumeric/gnumeric/src/expr.c:3124:8
    #38 0x7f85bc46e33d in gnm_cell_eval_content gnumeric/gnumeric/src/dependent.c:1665:6
    #39 0x7f85bc46bd47 in cell_dep_eval gnumeric/gnumeric/src/dependent.c:1250:22
    #40 0x7f85bc419791 in dependent_eval gnumeric/gnumeric/src/dependent.c:1755:2
    #41 0x7f85bc43d84a in workbook_recalc gnumeric/gnumeric/src/dependent.c:2869:2
    #42 0x7f85bd0241fb in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1294:4
    #43 0x7f85bd024b00 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #44 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9
    #45 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #46 0x7f85b3b0378f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #47 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/src/value.c:636 value_dup

--
Juha Kylmänen
Comment 1 Morten Welinder 2015-09-26 00:24:50 UTC
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.