After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 761727 - Segfault in xlsx-read-drawing.c:2247 on a fuzzed xlsx file
Segfault in xlsx-read-drawing.c:2247 on a fuzzed xlsx file
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other Linux
: Normal normal
: ---
Assigned To: Jody Goldberg
Jody Goldberg
Depends on:
Blocks:
 
 
Reported: 2016-02-08 19:29 UTC by jutaky
Modified: 2016-02-08 19:54 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description jutaky 2016-02-08 19:29:16 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_003-xlsx-read-drawing.c.2247.xlsx

$ ssconvert gnumeric_case_003-xlsx-read-drawing.c.2247.xlsx /tmp/out.gnumeric

==12078==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fc3fee0dd28 bp 0x7ffd30c94db8 sp 0x7ffd30c93960 T0)
    #0 0x7fc3fee0dd27 in xlsx_chart_layout_target gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:2247:47
    #1 0x7fc4124f15ef in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #2 0x7fc4124f9800 in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #3 0x7fc4124f7962 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #4 0x7fc411b3a41a in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8714:6
    #5 0x7fc411b3f84b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10132:9
    #6 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #7 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #8 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #9 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #10 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #11 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #12 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #13 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #14 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #15 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #16 0x7fc411b5302d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #17 0x7fc4124f191c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #18 0x7fc41250b522 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:450:8
    #19 0x7fc3fedfcb70 in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8
    #20 0x7fc3fee06662 in xlsx_read_chart gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:3070:3
    #21 0x7fc4124f15ef in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #22 0x7fc4124f9800 in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #23 0x7fc4124f7962 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #24 0x7fc411b3a3f8 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8712:6
    #25 0x7fc411b3f84b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10132:9
    #26 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #27 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #28 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #29 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #30 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #31 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #32 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #33 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #34 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #35 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #36 0x7fc411b5302d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #37 0x7fc4124f191c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #38 0x7fc41250b522 in gsf_open_pkg_parse_rel_by_id gnumeric/libgsf/gsf/gsf-open-pkg-utils.c:450:8
    #39 0x7fc3fedfcb70 in xlsx_parse_rel_by_id gnumeric/gnumeric/plugins/excel/xlsx-read.c:383:8
    #40 0x7fc3fedf2c88 in xlsx_sheet_drawing gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:3577:3
    #41 0x7fc4124f15ef in push_child gnumeric/libgsf/gsf/gsf-libxml.c:658:3
    #42 0x7fc4124f9800 in lookup_child gnumeric/libgsf/gsf/gsf-libxml.c:694:5
    #43 0x7fc4124f7962 in gsf_xml_in_start_element gnumeric/libgsf/gsf/gsf-libxml.c:786:7
    #44 0x7fc411b3a3f8 in xmlParseStartTag__internal_alias gnumeric/libxml2/parser.c:8712:6
    #45 0x7fc411b3f84b in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10132:9
    #46 0x7fc411b3e108 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10042:6
    #47 0x7fc411b3ff44 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10215:5
    #48 0x7fc411b5302d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #49 0x7fc4124f191c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #50 0x7fc3fedd2389 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #51 0x7fc3fede3f7b in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3999:3
    #52 0x7fc4124f8530 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #53 0x7fc411b3b674 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8783:9
    #54 0x7fc411b40f6e in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10243:2
    #55 0x7fc411b5302d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10912:2
    #56 0x7fc4124f191c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #57 0x7fc3fedd2389 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #58 0x7fc3fedd0720 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5164:4
    #59 0x7fc413458be2 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #60 0x7fc4134618a6 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #61 0x7fc4134659fc in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #62 0x7fc41406e970 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #63 0x7fc41406ecef in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #64 0x4dd355 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #65 0x4dc794 in main gnumeric/gnumeric/src/ssconvert.c:918:19
    #66 0x7fc40caab60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #67 0x41a728 in _start (apps/bin/ssconvert+0x41a728)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/./xlsx-read-drawing.c:2247:47 in xlsx_chart_layout_target

--
Juha Kylmänen
Comment 1 Morten Welinder 2016-02-08 19:54:34 UTC
Someone tried to save a microsecond in parsing.

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.