GNOME Bugzilla – Bug 762278
Heap-buffer overread in parse-util.c:890 on a fuzzed .gnumeric file
Last modified: 2016-02-19 00:43:57 UTC
Git versions of glib, goffice, gnumeric, libgsf and libxml2. Test case: http://jutaky.com/fuzzing/gnumeric_case_001-parse-util.c.890.gnumeric $ ssconvert gnumeric_case_001-parse-util.c.890.gnumeric /tmp/out.gnumeric ==21671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000059ec0 at pc 0x7f8305d45dcd bp 0x7ffd736e9410 sp 0x7ffd736e9408 READ of size 1 at 0x611000059ec0 thread T0 #0 0x7f8305d45dcc in unquote gnumeric/gnumeric/src/parse-util.c:890:13 #1 0x7f8305d45dcc in wbref_parse gnumeric/gnumeric/src/parse-util.c:931 #2 0x7f8305d427ed in rangeref_parse gnumeric/gnumeric/src/parse-util.c:1132:16 #3 0x7f8305d30635 in yylex gnumeric/gnumeric/src/parser.y:1174:8 #4 0x7f8305d241cd in yyparse gnumeric/gnumeric/src/parser.c:1984:16 #5 0x7f8305d228f2 in gnm_expr_parse_str gnumeric/gnumeric/src/parser.y:1586:2 #6 0x7f8305f54caa in xml_sax_cell_content gnumeric/gnumeric/src/xml-sax-read.c:2167:14 #7 0x7f830457a5b0 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3 #8 0x7f8303bbd664 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8784:9 #9 0x7f8303bc2f5e in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10244:2 #10 0x7f8303bc00f8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10043:6 #11 0x7f8303bc1f34 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10216:5 #12 0x7f8303bc00f8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10043:6 #13 0x7f8303bc1f34 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10216:5 #14 0x7f8303bc00f8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10043:6 #15 0x7f8303bc1f34 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10216:5 #16 0x7f8303bc00f8 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:10043:6 #17 0x7f8303bc1f34 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10216:5 #18 0x7f8303bd501d in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10913:2 #19 0x7f830457399c in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2 #20 0x7f8305f38b81 in read_file_common gnumeric/gnumeric/src/xml-sax-read.c:3479:7 #21 0x7f8305f3be44 in gnm_xml_file_open gnumeric/gnumeric/src/xml-sax-read.c:3608:7 #22 0x7f83052e8a75 in go_file_opener_open_real gnumeric/goffice/goffice/app/file.c:159:4 #23 0x7f83052e3c8c in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2 #24 0x7f8305ef0800 in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3 #25 0x7f8305ef0b7f in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9 #26 0x4dd3d5 in convert gnumeric/gnumeric/src/ssconvert.c:717:9 #27 0x4dc814 in main gnumeric/gnumeric/src/ssconvert.c:920:11 #28 0x7f82fe28b60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #29 0x41a7a8 in _start (apps/bin/ssconvert+0x41a7a8) 0x611000059ec0 is located 0 bytes to the right of 256-byte region [0x611000059dc0,0x611000059ec0) allocated by thread T0 here: #0 0x4b0ac0 in realloc (apps/bin/ssconvert+0x4b0ac0) #1 0x7f82fed00237 in g_realloc gnumeric/glib/glib/gmem.c:159 SUMMARY: AddressSanitizer: heap-buffer-overflow gnumeric/gnumeric/src/parse-util.c:890:13 in unquote -- Juha Kylmänen
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.