search

jmcnamara / libxlsxwriter

A C library for creating Excel XLSX files.
https://libxlsxwriter.github.io
Other
1.48k stars 330 forks source link

_store_array_formula heap-buffer-overflow #446

Closed wxie7 closed 3 months ago

wxie7 commented 3 months ago

maybe there exist a bug in worksheet_write_dynamic_formula and worksheet_write_dynamic_array_formula. Below is an example


#include <xlsxwriter/workbook.h>
#include <xlsxwriter/worksheet.h>

int main() {

    lxw_workbook  *workbook  = workbook_new("demo.xlsx");
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);

    lxw_error err = worksheet_write_dynamic_formula(worksheet, 0, 0, "", NULL);
    // Also
    // worksheet_write_dynamic_array_formula(worksheet, 0, 0, 0, 0, "", NULL);
    if (err != LXW_NO_ERROR)
        return 1;

    workbook_close(workbook);

    return 0;
}

Below is asan information:

=================================================================
==2675438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000004af at pc 0x562869d4a523 bp 0x7fff05004f30 sp 0x7fff05004f28
READ of size 1 at 0x6020000004af thread T0
    #0 0x562869d4a522 in _store_array_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8075:9
    #1 0x562869d4adb5 in worksheet_write_dynamic_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8146:12
    #2 0x562869ce06a8 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug8.cpp:11:21
    #3 0x7fca4046ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7fca4046ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x562869c20454 in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug8+0x58454) (BuildId: e40ae509915daf6c86a9e328bddaa36cd11cb982)

0x6020000004af is located 1 bytes to the left of 1-byte region [0x6020000004b0,0x6020000004b1)
allocated by thread T0 here:
    #0 0x562869ca329e in malloc (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug8+0xdb29e) (BuildId: e40ae509915daf6c86a9e328bddaa36cd11cb982)
    #1 0x562869e45ed8 in lxw_strdup /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:471:12
    #2 0x562869e4600f in lxw_strdup_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:489:16
    #3 0x562869d4a4b5 in _store_array_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8072:24
    #4 0x562869d4adb5 in worksheet_write_dynamic_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8146:12
    #5 0x562869ce06a8 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug8.cpp:11:21
    #6 0x7fca4046ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8075:9 in _store_array_formula
Shadow bytes around the buggy address:
  0x0c047fff8040: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 07 fa
  0x0c047fff8050: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8060: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8070: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8080: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 fa
=>0x0c047fff8090: fa fa 00 fa fa[fa]01 fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2675438==ABORTING
jmcnamara commented 3 months ago

Thanks. I'll take a look.

BTW, are you finding these via fuzz testing or some other method?

wxie7 commented 3 months ago

Thanks. I'll take a look.

BTW, are you finding these via fuzz testing or some other method?

Yes, I wrote a new fuzz driver according to #431

jmcnamara commented 3 months ago

Could you post some instructions on how to compile examples like above with AddressSanitizer.

wxie7 commented 3 months ago
  1. Add set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=trace-pc-guard") in CMakeList.txt
  2. build libxlsxwriter
  3. use clang++ -g -fsanitize=leak,address ../bugs/bug8.cpp -L. -lxlsxwriter -lz -o bug8 in build directory
jmcnamara commented 3 months ago

Fixed on main. Thanks.