tfussell / xlnt

:bar_chart: Cross-platform user-friendly xlsx library for C++11+
Other
1.49k stars 418 forks source link

Segmentation fault in xlsx_consumer::read_office_document() #592

Open apach301 opened 2 years ago

apach301 commented 2 years ago

Hi, I was playing with libFuzzer and found crash when opening xlsx-file with xlnt::workbook::load function.

Segmentation fault occurs when loading crash-3bb6db12fd7659ef690ddb7208a1cb990feda70b.txt file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:

/load_fuzzer crash-3bb6db12fd7659ef690ddb7208a1cb990feda70b.txt

Sanitizer output:

=================================================================
==31981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7ffb5fd69c08 bp 0x7ffcc7da1230 sp 0x7ffcc7d9b058 T0)
==31981==The signal is caused by a READ memory access.
==31981==Hint: address points to the zero page.
    #0 0x7ffb5fd69c08 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145c08)
    #1 0xa76baf in xlnt::detail::xlsx_consumer::read_office_document(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /xlnt/source/detail/serialization/xlsx_consumer.cpp:2031:22
    #2 0xa4dad6 in xlnt::detail::xlsx_consumer::read_part(std::vector<xlnt::relationship, std::allocator<xlnt::relationship> > const&) /xlnt/source/detail/serialization/xlsx_consumer.cpp:1495:9
    #3 0x9f8f5f in xlnt::detail::xlsx_consumer::populate_workbook(bool) /xlnt/source/detail/serialization/xlsx_consumer.cpp:1645:5
    #4 0x9f67b2 in xlnt::detail::xlsx_consumer::read(std::istream&) /xlnt/source/detail/serialization/xlsx_consumer.cpp:401:5
    #5 0x546bac in xlnt::workbook::load(std::istream&) /xlnt/source/workbook/workbook.cpp:894:18
    #6 0x56df87 in xlnt::workbook::load(std::vector<unsigned char, std::allocator<unsigned char> > const&) /xlnt/source/workbook/workbook.cpp:919:5
    #7 0x514da2 in LLVMFuzzerTestOneInput /xlnt/build/../load_fuzzer.cc:9:23
    #8 0x441d41 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #9 0x42c35c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #10 0x4320cb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #11 0x45ae12 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7ffb5f8b90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x426c7d in _start (/load_fuzzer+0x426c7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145c08) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
==31981==ABORTING