After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 761663 - Segfault in xlsx-read-drawing.c:298 on a fuzzed xlsx file
Segfault in xlsx-read-drawing.c:298 on a fuzzed xlsx file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal normal
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2016-02-07 08:30 UTC by jutaky
Modified: 2016-02-07 20:00 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description jutaky 2016-02-07 08:30:21 UTC 
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_002-xlsx-read-drawing.c.298.xlsx

$ ssconvert gnumeric_case_002-xlsx-read-drawing.c.298.xlsx /tmp/out.gnumeric

==9892==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000c8 (pc 0x7f071979a2b7 bp 0x7ffc573ba5b8 sp 0x7ffc573b8400 T0)
    #0 0x7f071979a2b6 in xlsx_rpr_latin gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:298:74
    #1 0x7f072ce705ef in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #2 0x7f072ce78800 in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #3 0x7f072ce76962 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #4 0x7f072c4b93d8 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8712:6
    #5 0x7f072c4be82b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10132:9
    #6 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #7 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #8 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #9 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #10 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #11 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #12 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #13 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #14 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #15 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #16 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #17 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #18 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #19 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #20 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #21 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #22 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #23 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #24 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #25 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #26 0x7f072c4d200d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #27 0x7f072ce7091c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #28 0x7f072ce8a522 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:450:8
    #29 0x7f0719793bd0 in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8
    #30 0x7f071979d5c2 in xlsx_read_chart gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:3067:3
    #31 0x7f072ce705ef in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #32 0x7f072ce78800 in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #33 0x7f072ce76962 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #34 0x7f072c4b93d8 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8712:6
    #35 0x7f072c4be82b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10132:9
    #36 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #37 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #38 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #39 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #40 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #41 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #42 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #43 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #44 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #45 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #46 0x7f072c4d200d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #47 0x7f072ce7091c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #48 0x7f072ce8a522 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:450:8
    #49 0x7f0719793bd0 in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8
    #50 0x7f0719789ce8 in xlsx_sheet_drawing gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:3574:3
    #51 0x7f072ce705ef in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #52 0x7f072ce78800 in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #53 0x7f072ce76962 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #54 0x7f072c4b93d8 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8712:6
    #55 0x7f072c4be82b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10132:9
    #56 0x7f072c4bd0e8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #57 0x7f072c4bef24 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #58 0x7f072c4d200d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #59 0x7f072ce7091c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #60 0x7f07197693e9 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #61 0x7f071977afdb in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3999:3
    #62 0x7f072ce77530 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #63 0x7f072c4ba654 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8783:9
    #64 0x7f072c4bff4e in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10243:2
    #65 0x7f072c4d200d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #66 0x7f072ce7091c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #67 0x7f07197693e9 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #68 0x7f0719767780 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5164:4
    #69 0x7f072ddd7be2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #70 0x7f072dde08a6 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #71 0x7f072dde49fc in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #72 0x7f072e9ed95e in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #73 0x7f072e9edcdf in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #74 0x4dd353 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #75 0x4dc792 in main gnumeric/gnumeric/src/ssconvert.c:918:19
    #76 0x7f072742a60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #77 0x41a728 in _start (apps/bin/ssconvert+0x41a728)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:298:74 in xlsx_rpr_latin
==9892==ABORTING

--
Juha Kylmänen
Comment 1 Morten Welinder 2016-02-07 20:00:40 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.