workbook_define_name stack-buffer-underflow

wxie7 commented 3 months ago

hello, maybe there exist a bug in workbook_define_name. Below is an example

#include "xlsxwriter.h"

int main() {

    /* Create a new workbook and add a worksheet. */
    lxw_workbook  *workbook  = workbook_new("demo.xlsx");

    lxw_error err = workbook_define_name(workbook, "!", "=0.96");

    workbook_close(workbook);

    return 0;
}

The following is asan information

=================================================================
==3917155==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffeb67ba13f at pc 0x56298a699cf6 bp 0x7ffeb67ba110 sp 0x7ffeb67ba108
READ of size 1 at 0x7ffeb67ba13f thread T0
    #0 0x56298a699cf5 in _store_defined_name /home/ubuntu/workspace/newest-libxlsxwriter/src/workbook.c:716:13
    #1 0x56298a699705 in workbook_define_name /home/ubuntu/workspace/newest-libxlsxwriter/src/workbook.c:2266:12
    #2 0x56298a686695 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug2.cpp:15:21
    #3 0x7ff6502dcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7ff6502dce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x56298a5c6454 in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug2+0x58454) (BuildId: eb5074b30de9a8cd3f74a3537d63f5ba1a9e6f16)

Address 0x7ffeb67ba13f is located in stack of thread T0 at offset 31 in frame
    #0 0x56298a69971f in _store_defined_name /home/ubuntu/workspace/newest-libxlsxwriter/src/workbook.c:668

  This frame has 1 object(s):
    [32, 160) 'name_copy' (line 673) <== Memory access at offset 31 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /home/ubuntu/workspace/newest-libxlsxwriter/src/workbook.c:716:13 in _store_defined_name
Shadow bytes around the buggy address:
  0x100056cef3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100056cef420: 00 00 00 00 f1 f1 f1[f1]00 00 00 00 00 00 00 00
  0x100056cef430: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00
  0x100056cef440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100056cef470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3917155==ABORTING

jmcnamara commented 3 months ago

Thanks. I'll look into it.

jmcnamara commented 3 months ago

Fixed on main. Thanks for the report.

jmcnamara / libxlsxwriter

workbook_define_name stack-buffer-underflow #444