NULL dereference in datetime_from_filetime at gsf-infile-msole.c:292
The gsf-office-thumbnailer
crashes on NULL dereference when processing the attached fuzzed file.
How to reproduce
$ git clone https://gitlab.gnome.org/GNOME/libgsf.git # commit 9e5266c1d
$ cd libgsf
$ ./autogen.sh
$ ./configure CFLAGS="-O0 -ggdb3" --disable-shared
$ make
$ ./thumbnailer/gsf-office-thumbnailer -s 32 -o /dev/null -i /tmp/office-thumbnailer-null.bin
(gsf-office-thumbnailer:9000): libgsf:msole-WARNING **: 13:47:46.604: There are not supposed to be any blocks in the small block allocation table, yet there is a link to some. Ignoring it.
Segmentation fault
$ strace -e none -e signal=SIGSEGV -k ./thumbnailer/gsf-office-thumbnailer -s 32 -o /dev/null -i /tmp/office-thumbnailer-null.bin
(gsf-office-thumbnailer:9005): libgsf:msole-WARNING **: 13:48:15.048: There are not supposed to be any blocks in the small block allocation table, yet there is a link to some. Ignoring it.
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x10} ---
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6200.1(g_date_time_add+0x10) [0x372d0]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(datetime_from_filetime+0x9d) [0x21d91]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(ole_dirent_new+0x338) [0x220df]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(ole_init_info+0x935) [0x23156]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(gsf_infile_msole_new+0x111) [0x2407c]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(read_thumbnail_and_write+0x9f) [0xbfc6]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(main+0x103) [0xc1d1]
> /lib/x86_64-linux-gnu/libc-2.30.so(__libc_start_main+0xf3) [0x271e3]
> /tmp/libgsf/thumbnailer/gsf-office-thumbnailer(_start+0x2e) [0xb83e]
+++ killed by SIGSEGV +++
Segmentation fault
The warning seems to be introduced by minimization and is most probably unrelated.
Analysis
$ gdb -q --args ./thumbnailer/gsf-office-thumbnailer -s 32 -o /dev/null -i /tmp/office-thumbnailer-null.bin
Reading symbols from ./thumbnailer/gsf-office-thumbnailer...
(gdb) r
Starting program: /tmp/libgsf/thumbnailer/gsf-office-thumbnailer -s 32 -o /dev/null -i /tmp/office-thumbnailer-null.bin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(gsf-office-thumbnailer:9010): libgsf:msole-WARNING **: 13:48:32.700: There are not supposed to be any blocks in the small block allocation table, yet there is a link to some. Ignoring it.
Program received signal SIGSEGV, Segmentation fault.
g_date_time_add (datetime=0x0, timespan=768030) at ../../../glib/gdatetime.c:1705
1705 ../../../glib/gdatetime.c: No such file or directory.
(gdb) up
#1 0x0000555555575d91 in datetime_from_filetime (ft=3472328296227680304) at gsf-infile-msole.c:292
292 res = g_date_time_add (dt, (ft % 10000000u) / 10);
(gdb) p dt
$1 = (GDateTime *) 0x0
(gdb) p/x ft
$2 = 0x3030303030303030
Looks like fuzzer have corrupted some time field, so that g_date_time_new_from_unix_local
returns NULL
, and the datetime_from_filetime
does not handle that case correctly. I have GLib 2.62.1-1 on my Ubuntu system. According to current master branch sources, it returns NULL
implicitly when
if (t > G_MAXINT64 / USEC_PER_SECOND)
return NULL;
and this seems to be the case here.