Bug#642135: gnumeric: Gnumeric tries to allocate an obnoxious amount of memory and aborts

Wed, 21 Sep 2011 12:24:17 -0700 

On 21.09.2011 18:38, J.H.M. Dassen (Ray) wrote:

Hello Mikko,

On Mon, Sep 19, 2011 at 20:58:01 +0300, Mikko Rasa wrote:

The file in question contains names and addresses of people, so I do not
wish to publish it on the Internet.  However, I can send it to the package
maintainer in exchange of a promise that the information won't be misused.

Here's a backtrace from gdb, perhaps it will be useful:


Evaluation of this type of issue is usually done much more effectively by
gnumeric's upstream maintainers than myself.

It would be helpful if you could supply the file that triggers this issue to
Morten Welinder<mort...@gnome.org>  and Andreas Guelzow<aguel...@pyrshep.ca>.

Morten has commented that a better back trace will be required for analysis
of this issue.
Well, I was going to send the file to the developers but I wanted to provide as much information as possible so I compiled gnumeric and a few libraries from source in order to get a better backtrace. I ended up finding and fixing the bug :) Patch attached. The bug originates from commit 4e484d1 over a year ago.
I think the cause of the bug should be clear from the patch but if any more information is needed I'll be happy to provide it. 

--
Mikko

>From 1a7332cadd7d15b04ea3e499d9bd635908a84009 Mon Sep 17 00:00:00 2001
From: Mikko Rasa <t...@tdb.fi>
Date: Wed, 21 Sep 2011 22:06:48 +0300
Subject: [PATCH] Don't go into infinite loop with percent signs

---
 plugins/openoffice/openoffice-read.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/plugins/openoffice/openoffice-read.c b/plugins/openoffice/openoffice-read.c
index d1531f6..3108303 100644
--- a/plugins/openoffice/openoffice-read.c
+++ b/plugins/openoffice/openoffice-read.c
@@ -3849,7 +3849,7 @@ oo_date_text_end (GsfXMLIn *xin, G_GNUC_UNUSED GsfXMLBlob *blob)
 			int len = xin->content->len;
 			char const *text = xin->content->str;
 			char const *percent_sign;
-			while ((percent_sign = strchr (xin->content->str, '%')) != NULL) {
+			while ((percent_sign = strchr (text, '%')) != NULL) {
 				if (percent_sign > text) {
 					oo_date_text_end_append
 						(state->cur_format.accum, text,
-- 
1.7.6.3

Reply via email to