tfussell / xlnt

:bar_chart: Cross-platform user-friendly xlsx library for C++11+
Other
1.49k stars 418 forks source link

Hang in xlnt::detail::zip_streambuf_decompress::process() #597

Open apach301 opened 2 years ago

apach301 commented 2 years ago

Hi, I was playing with libFuzzer and found that function xlnt::workbook::load hangs when opening xlsx-file.

The bug reproduced when opening hang-cf91fe89775e5b32a6ea47e579315be4c0042664.txt file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce hanging:

/load_sydr hang-cf91fe89775e5b32a6ea47e579315be4c0042664.txt

Stack trace under gdb:

(gdb) bt
#0  0x0000000000556f88 in tinfl_decompress ()
#1  0x000000000054e0ba in mz_inflate ()
#2  0x000000000054979e in xlnt::detail::zip_streambuf_decompress::process (this=0x1e17ca0) at /xlnt/source/detail/serialization/zstream.cpp:269
#3  0x0000000000548924 in xlnt::detail::zip_streambuf_decompress::underflow (this=0x1e17ca0) at /xlnt/source/detail/serialization/zstream.cpp:300
#4  0x00007fdaf8727d76 in std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007fdaf86fea82 in std::istream::read(char*, long) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#6  0x000000000056e05a in xml::parser::next_body (this=0x7ffd3a15ee38) at /xlnt/third-party/libstudxml/libstudxml/parser.cxx:647
#7  0x000000000056ca17 in xml::parser::next_ (this=0x7ffd3a15ee38, peek=false) at /xlnt/third-party/libstudxml/libstudxml/parser.cxx:378
#8  0x000000000056c929 in xml::parser::next (this=0x7ffd3a15ee38) at /xlnt/third-party/libstudxml/libstudxml/parser.cxx:184
#9  0x000000000056d45a in xml::parser::next_expect (this=0x7ffd3a15ee38, e=xml::parser::start_element, Python Exception <class 'gdb.error'> There is no member named _M_p.: 
ns=, Python Exception <class 'gdb.error'> There is no member named _M_p.: 
n=) at /xlnt/third-party/libstudxml/libstudxml/parser.cxx:288
#10 0x00000000004d9f6a in xml::parser::next_expect (this=0x7ffd3a15ee38, e=xml::parser::start_element, qn=...) at /xlnt/source/../source/../third-party/libstudxml/libstudxml/parser.ixx:135
#11 0x00000000004ac1a4 in xlnt::detail::xlsx_consumer::expect_start_element (this=0x7ffd3a15fc40, name=..., content=...) at /xlnt/source/detail/serialization/xlsx_consumer.cpp:3075
#12 0x00000000004b5330 in xlnt::detail::xlsx_consumer::read_core_properties (this=0x7ffd3a15fc40) at /xlnt/source/detail/serialization/xlsx_consumer.cpp:1692
#13 0x00000000004b0107 in xlnt::detail::xlsx_consumer::read_part (this=0x7ffd3a15fc40, rel_chain=std::vector of length 1, capacity 1 = {...}) at /xlnt/source/detail/serialization/xlsx_consumer.cpp:1483
#14 0x00000000004991bd in xlnt::detail::xlsx_consumer::populate_workbook (this=0x7ffd3a15fc40, streaming=false) at /xlnt/source/detail/serialization/xlsx_consumer.cpp:1634
#15 0x0000000000498e1d in xlnt::detail::xlsx_consumer::read (this=0x7ffd3a15fc40, source=...) at /xlnt/source/detail/serialization/xlsx_consumer.cpp:401
#16 0x000000000040dcad in xlnt::workbook::load (this=0x7ffd3a15ff18, stream=...) at /xlnt/source/workbook/workbook.cpp:894
#17 0x00000000004142bf in xlnt::workbook::load (this=0x7ffd3a15ff18, data=std::vector of length 21544, capacity 21544 = {...}) at /xlnt/source/workbook/workbook.cpp:919
#18 0x000000000040739f in LLVMFuzzerTestOneInput (data=<optimized out>, size=<optimized out>) at ../load_sydr.cc:13
#19 0x00007fdaf82b10b3 in __libc_start_main (main=0x407440 <main(int, char**)>, argc=2, argv=0x7ffd3a160048, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd3a160038)
    at ../csu/libc-start.c:308
#20 0x000000000040724e in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74