GNOME Bugzilla – Bug 760232
Heap-buffer overread in ms-obj.c:1073 on a fuzzed xls file
Last modified: 2016-01-08 13:05:38 UTC
Git versions of gtk, glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_014-ms-obj.c.1073.xls $ ssconvert gnumeric_case_014-ms-obj.c.1073.xls /tmp/out.gnumeric ==30689==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000046b36 at pc 0x7f989e527283 bp 0x7ffe4e176510 sp 0x7ffe4e176508 READ of size 1 at 0x604000046b36 thread T0 #0 0x7f989e527282 in ms_obj_read_biff8_obj gnumeric/gnumeric/plugins/excel/ms-obj.c:1073:6 #1 0x7f989e527282 in ms_read_OBJ gnumeric/gnumeric/plugins/excel/ms-obj.c:1303 #2 0x7f989e479706 in ms_escher_read_ClientData gnumeric/gnumeric/plugins/excel/ms-escher.c:2063:6 #3 0x7f989e471881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #4 0x7f989e471881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #5 0x7f989e471881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #6 0x7f989e471881 in ms_escher_read_container gnumeric/gnumeric/plugins/excel/ms-escher.c:2181:10 #7 0x7f989e470b5b in ms_escher_parse gnumeric/gnumeric/plugins/excel/ms-escher.c:2248:2 #8 0x7f989e4a0201 in excel_read_sheet gnumeric/gnumeric/plugins/excel/ms-excel-read.c:6833:4 #9 0x7f989e4939cd in excel_read_BOF gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7133:4 #10 0x7f989e48ae22 in excel_read_workbook gnumeric/gnumeric/plugins/excel/ms-excel-read.c:7242:4 #11 0x7f989e463902 in excel_enc_file_open gnumeric/gnumeric/plugins/excel/boot.c:193:2 #12 0x7f98bd462ed2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3 #13 0x7f98bd46bb96 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2 #14 0x7f98bd46fcec in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #15 0x7f98be06ef80 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #16 0x7f98be06f2ff in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #17 0x4dd2b5 in convert gnumeric/gnumeric/src/ssconvert.c:715:9 #18 0x4dc6f4 in main gnumeric/gnumeric/src/ssconvert.c:918:19 #19 0x7f98b80d460f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #20 0x41a688 in _start (apps/bin/ssconvert+0x41a688) -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution. As a matter of priorities, xls is almost uninteresting unless we start writing in random locations. Mere crashes or reading memory we ought not read when given bogus files isn't that interesting.
While I did fix this, it looks like the commit wasn't pushed yet. That'll happen tonight.