Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

worksheet_set_selection stack-buffer-overflow #447

Closed
wxie7 opened this issue May 30, 2024 · 1 comment
Closed

worksheet_set_selection stack-buffer-overflow #447

wxie7 opened this issue May 30, 2024 · 1 comment

Comments

@wxie7
Copy link

wxie7 commented May 30, 2024

Maybe there exist a bug in worksheet_set_selection when compile with 32bit.
Below is an example

int main() {
    lxw_workbook  *workbook  = workbook_new("demo.xlsx");
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    worksheet_set_selection(worksheet, 2486186032, 12336, 2955948080, 65535);
    workbook_close(workbook);
    return 0;
}

Below is the modified part of CMakeList.txt

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -140,6 +140,8 @@ option(USE_MEM_FILE "Use fmemopen()/open_memstream() in place of temporary files
 option(IOAPI_NO_64 "Disable 64-bit filesystem support" OFF)
 option(USE_DTOA_LIBRARY "Use the locale independent third party Milo Yip DTOA library" OFF)

+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -m32 -fsanitize=address,leak")
+
 if(MSVC)
     option(USE_STATIC_MSVC_RUNTIME "Use the static runtime library" OFF)
 endif()
@@ -294,7 +296,7 @@ target_sources(${PROJECT_NAME}
     PRIVATE ${LXW_SOURCES}
     PUBLIC ${LXW_HEADERS}
 )
-target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_LIBRARIES} ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY})
+target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_ROOT}/libz.a ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY})
 target_compile_definitions(${PROJECT_NAME} PRIVATE ${LXW_PRIVATE_COMPILE_DEFINITIONS})

Below is asan information

=================================================================
==2618841==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffbcd72c at pc 0x56658272 bp 0xffbcd608 sp 0xffbcd1e0
WRITE of size 9 at 0xffbcd72c thread T0
    #0 0x56658271 in vsnprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)
    #1 0x56659587 in __interceptor_snprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x55587) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)
    #2 0x568a0b2e in lxw_rowcol_to_cell /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:128:5
    #3 0x568a0d17 in lxw_rowcol_to_range /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:179:5
    #4 0x567843d9 in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9591:9
    #5 0x566f89f6 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug-worksheet_selection.cpp:11:5
    #6 0xf7981518  (/lib32/libc.so.6+0x21518) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03)
    #7 0xf79815f2 in __libc_start_main (/lib32/libc.so.6+0x215f2) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03)
    #8 0x566374aa in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x334aa) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)

Address 0xffbcd72c is located in stack of thread T0 at offset 108 in frame
    #0 0x5678405f in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9552

  This frame has 2 object(s):
    [16, 44) 'active_cell' (line 9556)
    [80, 108) 'sqref' (line 9557) <== Memory access at offset 108 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) in vsnprintf
Shadow bytes around the buggy address:
  0x3ff79a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ad0: 00 00 00 00 00 00 00 00 f1 f1 00 00 00 04 f2 f2
=>0x3ff79ae0: f2 f2 00 00 00[04]f3 f3 f3 f3 00 00 00 00 00 00
  0x3ff79af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2618841==ABORTING

Tested on Ubuntu 22
jmcnamara added a commit that referenced this issue Jun 5, 2024
@jmcnamara
worksheet: add range check to worksheet_set_selection()
f483e65 
Issue #447
@jmcnamara
Copy link
Owner

Fixed on main. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmcnamara @wxie7