Bug 324622 - Out-of-bounds read on a corrupted (fuzzed) sxc file
Summary: Out-of-bounds read on a corrupted (fuzzed) sxc file
Status: RESOLVED WORKSFORME
Alias: None
Product: calligrasheets
Classification: Applications
Component: filters (other bugs)
Version First Reported In: 2.8 Pre-Alpha
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Calligra Sheets (KSpread) Bugs
URL: http://jutaky.com/fuzzing/calligra_ca...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-07 16:15 UTC by jutaky
Modified: 2018-11-29 09:46 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description jutaky 2013-09-07 16:15:10 UTC 
I have been doing security and robustness testing against calligrasheets and here is my first report:

Out-of-bounds read on a corrupted (fuzzed) sxc file.

Git versions of calligra and kdelibs.

Test case: http://jutaky.com/fuzzing/calligra_case_17702_2247.sxc

Backtrace from gdb:

Program received signal SIGSEGV, Segmentation fault.
KoXmlNodeData::loadChildren (this=<optimized out>, depth=depth@entry=1)
    at /calligra/libs/odf/KoXmlReader.cpp:1545
1545	            KoQName qname = packedDoc->qnameList[item.qnameIndex];
(gdb) bt
#0  KoXmlNodeData::loadChildren (this=<optimized out>, depth=depth@entry=1)
    at /calligra/libs/odf/KoXmlReader.cpp:1545
#1  0x00007ffff556449a in KoXmlDocument::documentElement (this=this@entry=0xa2bcb0)
    at /calligra/libs/odf/KoXmlReader.cpp:2565
#2  0x00007fffd8d5c97c in OpenCalcImport::createStyleMap (this=this@entry=0xa2bc80, styles=...)
    at /calligra/filters/sheets/opencalc/opencalcimport.cc:2047
#3  0x00007fffd8d5e58c in OpenCalcImport::openFile (this=this@entry=0xa2bc80)
    at /calligra/filters/sheets/opencalc/opencalcimport.cc:2357
#4  0x00007fffd8d732a3 in OpenCalcImport::convert (this=0xa2bc80, from=..., to=...)
    at /calligra/filters/sheets/opencalc/opencalcimport.cc:2312
#5  0x00007ffff7958c98 in CalligraFilter::ChainLink::invokeFilter (this=0xa2b720, 
    parentChainLink=parentChainLink@entry=0x0) at /calligra/libs/main/KoFilterChainLink.cpp:90
#6  0x00007ffff795295d in KoFilterChain::invokeChain (this=0xa2b760)
    at /calligra/libs/main/KoFilterChain.cpp:95
#7  0x00007ffff794c697 in KoFilterManager::importDocument (this=0x95cdd0, url=..., documentMimeType=..., 
    status=@0x7fffffffd9f0: 7574448) at /calligra/libs/main/KoFilterManager.cpp:170
#8  0x00007ffff78f1b03 in KoDocument::openFile (this=0x8e8610)
    at /calligra/libs/main/KoDocument.cpp:1219
#9  0x00007ffff7985e9b in KoPart::openFile (this=0x8e9530) at /calligra/libs/main/KoPart.cpp:199
#10 0x00007ffff71718a7 in KParts::ReadOnlyPartPrivate::openLocalFile (this=this@entry=0x8d8410)
    at /kdelibs/kparts/part.cpp:591
#11 0x00007ffff7172e8e in KParts::ReadOnlyPart::openUrl (this=<optimized out>, url=...)
    at /kdelibs/kparts/part.cpp:555
#12 0x00007ffff78ee81d in KoDocument::openUrl (this=0x8e8610, _url=...)
    at /calligra/libs/main/KoDocument.cpp:986
#13 0x00007ffff79134cd in KoMainWindow::openDocumentInternal (this=this@entry=0x95b810, url=..., 
    newpart=newpart@entry=0x8e9530, newdoc=newdoc@entry=0x8e8610)
    at /calligra/libs/main/KoMainWindow.cpp:716
#14 0x00007ffff791a6a1 in KoMainWindow::openDocument (this=this@entry=0x95b810, newPart=0x8e9530, url=...)
    at /calligra/libs/main/KoMainWindow.cpp:695
#15 0x00007ffff78e4b68 in KoApplication::start (this=this@entry=0x7fffffffe6d0)
    at /calligra/libs/main/KoApplication.cpp:460
#16 0x00007ffff7bdb697 in kdemain (argc=2, argv=0x7fffffffe808) at /calligra/sheets/part/Main.cpp:41
#17 0x00007ffff1118bc5 in __libc_start_main () from /usr/lib/libc.so.6
#18 0x00000000004008d1 in _start ()

Valgrind trace:

==22616== Invalid read of size 8
==22616==    at 0x74F47C5: KoXmlNodeData::loadChildren(int) (qlist.h:114)
==22616==    by 0x74F7499: KoXmlDocument::documentElement() const (KoXmlReader.cpp:2565)
==22616==    by 0x2609E97B: OpenCalcImport::createStyleMap(KoXmlDocument const&) (opencalcimport.cc:2047)
==22616==    by 0x260A058B: OpenCalcImport::openFile() (opencalcimport.cc:2357)
==22616==    by 0x260B52A2: OpenCalcImport::convert(QByteArray const&, QByteArray const&) (opencalcimport.cc:2312)
==22616==    by 0x510BC97: CalligraFilter::ChainLink::invokeFilter(CalligraFilter::ChainLink const*) (KoFilterChainLink.cpp:90)
==22616==    by 0x510595C: KoFilterChain::invokeChain() (KoFilterChain.cpp:95)
==22616==    by 0x50FF696: KoFilterManager::importDocument(QString const&, QString const&, KoFilter::ConversionStatus&) (KoFilterManager.cpp:170)
==22616==    by 0x50A4B02: KoDocument::openFile() (KoDocument.cpp:1219)
==22616==    by 0x5138E9A: KoPart::openFile() (KoPart.cpp:199)
==22616==    by 0x58958A6: KParts::ReadOnlyPartPrivate::openLocalFile() (part.cpp:591)
==22616==    by 0x5896E8D: KParts::ReadOnlyPart::openUrl(KUrl const&) (part.cpp:555)
==22616==  Address 0x1d7c8588 is 0 bytes after a block of size 24 alloc'd
==22616==    at 0x4C2757B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22616==    by 0xA66ECE0: QListData::detach(int) (in /usr/lib/libQtCore.so.4.8.5)
==22616==    by 0x74F8C1D: QList<KoQName>::detach_helper(int) (qlist.h:709)
==22616==    by 0x74F47B3: KoXmlNodeData::loadChildren(int) (qlist.h:725)
==22616==    by 0x74F7499: KoXmlDocument::documentElement() const (KoXmlReader.cpp:2565)
==22616==    by 0x2609E97B: OpenCalcImport::createStyleMap(KoXmlDocument const&) (opencalcimport.cc:2047)
==22616==    by 0x260A058B: OpenCalcImport::openFile() (opencalcimport.cc:2357)
==22616==    by 0x260B52A2: OpenCalcImport::convert(QByteArray const&, QByteArray const&) (opencalcimport.cc:2312)
==22616==    by 0x510BC97: CalligraFilter::ChainLink::invokeFilter(CalligraFilter::ChainLink const*) (KoFilterChainLink.cpp:90)
==22616==    by 0x510595C: KoFilterChain::invokeChain() (KoFilterChain.cpp:95)
==22616==    by 0x50FF696: KoFilterManager::importDocument(QString const&, QString const&, KoFilter::ConversionStatus&) (KoFilterManager.cpp:170)
==22616==    by 0x50A4B02: KoDocument::openFile() (KoDocument.cpp:1219)

--
Juha Kylmänen
Research Assistant, OUSPG



Reproducible: Always
Comment 1 Andrew Crouthamel 2018-10-29 23:59:51 UTC 
Dear Bug Submitter,

This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond.

Thank you for helping us make KDE software even better for everyone!
Comment 2 Bug Janitor Service 2018-11-13 14:43:04 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 3 Bug Janitor Service 2018-11-29 09:46:50 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!