search

jmcnamara / libxlsxwriter

A C library for creating Excel XLSX files.
https://libxlsxwriter.github.io
Other
1.48k stars 330 forks source link

worksheet_set_selection stack-buffer-overflow #447

Closed wxie7 closed 2 months ago

wxie7 commented 3 months ago

Maybe there exist a bug in worksheet_set_selection when compile with 32bit. Below is an example

int main() {
    lxw_workbook  *workbook  = workbook_new("demo.xlsx");
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    worksheet_set_selection(worksheet, 2486186032, 12336, 2955948080, 65535);
    workbook_close(workbook);
    return 0;
}

Below is the modified part of CMakeList.txt

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -140,6 +140,8 @@ option(USE_MEM_FILE "Use fmemopen()/open_memstream() in place of temporary files
 option(IOAPI_NO_64 "Disable 64-bit filesystem support" OFF)
 option(USE_DTOA_LIBRARY "Use the locale independent third party Milo Yip DTOA library" OFF)

+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -m32 -fsanitize=address,leak")
+
 if(MSVC)
     option(USE_STATIC_MSVC_RUNTIME "Use the static runtime library" OFF)
 endif()
@@ -294,7 +296,7 @@ target_sources(${PROJECT_NAME}
     PRIVATE ${LXW_SOURCES}
     PUBLIC ${LXW_HEADERS}
 )
-target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_LIBRARIES} ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY})
+target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_ROOT}/libz.a ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY})
 target_compile_definitions(${PROJECT_NAME} PRIVATE ${LXW_PRIVATE_COMPILE_DEFINITIONS})

Below is asan information

=================================================================
==2618841==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffbcd72c at pc 0x56658272 bp 0xffbcd608 sp 0xffbcd1e0
WRITE of size 9 at 0xffbcd72c thread T0
    #0 0x56658271 in vsnprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)
    #1 0x56659587 in __interceptor_snprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x55587) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)
    #2 0x568a0b2e in lxw_rowcol_to_cell /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:128:5
    #3 0x568a0d17 in lxw_rowcol_to_range /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:179:5
    #4 0x567843d9 in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9591:9
    #5 0x566f89f6 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug-worksheet_selection.cpp:11:5
    #6 0xf7981518  (/lib32/libc.so.6+0x21518) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03)
    #7 0xf79815f2 in __libc_start_main (/lib32/libc.so.6+0x215f2) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03)
    #8 0x566374aa in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x334aa) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)

Address 0xffbcd72c is located in stack of thread T0 at offset 108 in frame
    #0 0x5678405f in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9552

  This frame has 2 object(s):
    [16, 44) 'active_cell' (line 9556)
    [80, 108) 'sqref' (line 9557) <== Memory access at offset 108 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) in vsnprintf
Shadow bytes around the buggy address:
  0x3ff79a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ad0: 00 00 00 00 00 00 00 00 f1 f1 00 00 00 04 f2 f2
=>0x3ff79ae0: f2 f2 00 00 00[04]f3 f3 f3 f3 00 00 00 00 00 00
  0x3ff79af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2618841==ABORTING

Tested on Ubuntu 22

jmcnamara commented 2 months ago

Fixed on main. Thanks.