Bug 760105 – Heap-buffer overread in gsf-utils.c:256 on a fuzzed xls file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 760105 - Heap-buffer overread in gsf-utils.c:256 on a fuzzed xls file


Summary:	Heap-buffer overread in gsf-utils.c:256 on a fuzzed xls file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-01-03 21:38 UTC by jutaky
Modified:	2016-01-04 20:50 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2016-01-03 21:38:04 UTC

Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_009-gsf-utils.c.256.xls

$ ssconvert gnumeric_case_009-gsf-utils.c.256.xls /tmp/out.gnumeric

==27945==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000468bc at pc 0x7f7161089a45 bp 0x7fff722e13d0 sp 0x7fff722e13c8
READ of size 1 at 0x6040000468bc thread T0
    #0 0x7f7161089a44 in gsf_mem_dump_full gnumeric/libgsf/gsf/gsf-utils.c:256:24
    #1 0x7f7161089a44 in gsf_mem_dump gnumeric/libgsf/gsf/gsf-utils.c:286
    #2 0x7f7142c0a434 in excel_parse_formula1 gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1869:3
    #3 0x7f7142bffbc3 in excel_parse_formula gnumeric/gnumeric/plugins/excel/ms-formula-read.c:1910:21
    #4 0x7f7142b9d6a9 in ms_sheet_parse_expr_internal gnumeric/gnumeric/plugins/excel/ms-excel-read.c:305:10
    #5 0x7f7142b6f06c in ms_container_parse_expr gnumeric/gnumeric/plugins/excel/ms-container.c:188:9
    #6 0x7f7142c2ae40 in ms_obj_read_expr gnumeric/gnumeric/plugins/excel/ms-obj.c:520:21
    #7 0x7f7142c1f592 in ms_obj_read_biff8_obj gnumeric/gnumeric/plugins/excel/ms-obj.c:1011:4
    #8 0x7f7142c1f592 in ms_read_OBJ gnumeric/gnumeric/plugins/excel/ms-obj.c:1294
    #9 0x7f7142b79596 in ms_escher_read_ClientData gnumeric/gnumeric/plugins/excel/ms-escher.c:2063:6
    #10 0x7f7142b71711 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10
    #11 0x7f7142b71711 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10
    #12 0x7f7142b71711 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10
    #13 0x7f7142b71711 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10
    #14 0x7f7142b709eb in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2248:2
    #15 0x7f7142b9fe41 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6819:4
    #16 0x7f7142b9380d in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7119:4
    #17 0x7f7142b8acb2 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7228:4
    #18 0x7f7142b637a2 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2
    #19 0x7f7161b32ed2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #20 0x7f7161b3bb96 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #21 0x7f7161b3fcec in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #22 0x7f716273ed00 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #23 0x7f716273f07f in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #24 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #25 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19
    #26 0x7f715c7a460f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #27 0x41a688 in _start (apps/bin/ssconvert+0x41a688)

--
Juha Kylmänen

Comment 1 Morten Welinder 2016-01-04 14:54:19 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.

Comment 2 Morten Welinder 2016-01-04 15:25:45 UTC

Wrong bug closed.

Comment 3 Morten Welinder 2016-01-04 20:50:52 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.