Bug 752223 – Global buffer overread in gog-axis.c:124 on a fuzzed .gnumeric file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752223 - Global buffer overread in gog-axis.c:124 on a fuzzed .gnumeric file


Summary:	Global buffer overread in gog-axis.c:124 on a fuzzed .gnumeric file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export other
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Morten Welinder
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-10 14:49 UTC by jutaky
Modified:	2015-07-10 19:45 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-07-10 14:49:07 UTC

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_001-gog-axis.c.124.gnumeric

$ ssconvert gnumeric_case_001-gog-axis.c.124.gnumeric /tmp/out.gnumeric

==11783==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0928fb75c8 at pc 0x7f09282cea1b bp 0x7fff7d019f70 sp 0x7fff7d019f68
READ of size 8 at 0x7f0928fb75c8 thread T0
    #0 0x7f09282cea1a in gog_axis_metrics_from_str gnumeric/goffice/goffice/graph/gog-axis.c:124:15
    #1 0x7f09282a03a2 in gog_axis_set_property gnumeric/goffice/goffice/graph/gog-axis.c:2459:19
    #2 0x7f09221b5e92 in object_set_property gnumeric/glib/gobject/gobject.c:1415
    #3 0x7f09221b5e92 in g_object_set_property gnumeric/glib/gobject/gobject.c:2362
    #4 0x7f092817d306 in gogo_prop_end gnumeric/goffice/goffice/graph/gog-object-xml.c:429:2
    #5 0x7f09270abf4f in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #6 0x7f0925776274 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10115:3
    #7 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #10 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #11 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #12 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #13 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #14 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #15 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #16 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #17 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #18 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #19 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #20 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #21 0x7f0925770e98 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #22 0x7f09257785c9 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #23 0x7f09257b2466 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10857:2
    #24 0x7f092708fed7 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #25 0x7f092a8f24ab in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3410:7
    #26 0x7f092a8fad00 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3539:7
    #27 0x7f0927fe4c48 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4
    #28 0x7f0927fcdd18 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #29 0x7f092a7c0f15 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #30 0x7f092a7c1b00 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #31 0x4e6f9f in convert gnumeric/gnumeric/src/ssconvert.c:720:9
    #32 0x4e49bc in main gnumeric/gnumeric/src/ssconvert.c:913:9
    #33 0x7f09212a078f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #34 0x438a48 in _start (apps/bin/ssconvert+0x438a48)

0x7f0928fb75c8 is located 8 bytes to the right of global variable 'metrics_desc' defined in 'graph/gog-axis.c:110:3' (0x7f0928fb7580) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow gnumeric/goffice/goffice/graph/gog-axis.c:124 gog_axis_metrics_from_str

--
Juha Kylmänen

Comment 1 Jean Bréfort 2015-07-10 19:45:42 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.