Open apach301 opened 2 years ago
Hi, I was playing with libFuzzer and found crash when opening xlsx-file with xlnt::workbook::load function.
xlnt::workbook::load
Segmentation fault occurs when loading crash-3bb6db12fd7659ef690ddb7208a1cb990feda70b.txt file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
/load_fuzzer crash-3bb6db12fd7659ef690ddb7208a1cb990feda70b.txt
Sanitizer output:
================================================================= ==31981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7ffb5fd69c08 bp 0x7ffcc7da1230 sp 0x7ffcc7d9b058 T0) ==31981==The signal is caused by a READ memory access. ==31981==Hint: address points to the zero page. #0 0x7ffb5fd69c08 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145c08) #1 0xa76baf in xlnt::detail::xlsx_consumer::read_office_document(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /xlnt/source/detail/serialization/xlsx_consumer.cpp:2031:22 #2 0xa4dad6 in xlnt::detail::xlsx_consumer::read_part(std::vector<xlnt::relationship, std::allocator<xlnt::relationship> > const&) /xlnt/source/detail/serialization/xlsx_consumer.cpp:1495:9 #3 0x9f8f5f in xlnt::detail::xlsx_consumer::populate_workbook(bool) /xlnt/source/detail/serialization/xlsx_consumer.cpp:1645:5 #4 0x9f67b2 in xlnt::detail::xlsx_consumer::read(std::istream&) /xlnt/source/detail/serialization/xlsx_consumer.cpp:401:5 #5 0x546bac in xlnt::workbook::load(std::istream&) /xlnt/source/workbook/workbook.cpp:894:18 #6 0x56df87 in xlnt::workbook::load(std::vector<unsigned char, std::allocator<unsigned char> > const&) /xlnt/source/workbook/workbook.cpp:919:5 #7 0x514da2 in LLVMFuzzerTestOneInput /xlnt/build/../load_fuzzer.cc:9:23 #8 0x441d41 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x42c35c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #10 0x4320cb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9 #11 0x45ae12 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffb5f8b90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #13 0x426c7d in _start (/load_fuzzer+0x426c7d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145c08) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ==31981==ABORTING
Hi, I was playing with libFuzzer and found crash when opening xlsx-file with
xlnt::workbook::load
function.Segmentation fault occurs when loading crash-3bb6db12fd7659ef690ddb7208a1cb990feda70b.txt file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
Sanitizer output: