Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fread crash in ole.c:637 sector_read function #37

Closed
leonzhao7 opened this issue Dec 28, 2018 · 1 comment
Closed

fread crash in ole.c:637 sector_read function #37

leonzhao7 opened this issue Dec 28, 2018 · 1 comment

Comments

@leonzhao7
Copy link

Test Version

dev version, git clone https://github.com/evanmiller/libxls

Test Environment

root@leon-virtual-machine:/proc# uname -a
Linux leon-virtual-machine 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Test Program

xls2csv [infile]

Gdb and Backtrace

Reading symbols from xls2csv...done.
(gdb) run xls2csv_ole_ole2_fread_327.crash
Starting program: /opt/normal/bin/xls2csv xls2csv_ole_ole2_fread_327.crash
FILE: xls2csv_ole_ole2_fread_327.crash

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:220
220     ../sysdeps/x86_64/multiarch/../memcpy.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:220
#1  0x00007ffff7a85fd3 in __GI__IO_file_xsgetn (fp=0x60e4b0, data=<optimized out>, n=512) at fileops.c:1383
#2  0x00007ffff7a7b236 in __GI__IO_fread (buf=buf@entry=0x7ffff7fe1e10, size=512, count=count@entry=1, fp=0x60e4b0) at iofread.c:38
#3  0x0000000000406579 in fread (__stream=<optimized out>, __n=1, __size=<optimized out>, __ptr=0x7ffff7fe1e10)
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:295
#4  ole2_fread (ole2=ole2@entry=0x60e420, buffer=buffer@entry=0x7ffff7fe1e10, size=<optimized out>, nitems=nitems@entry=1) at src/ole.c:327
#5  0x000000000040666a in sector_read (ole2=0x60e420, buffer=0x7ffff7fe1e10, sid=0) at src/ole.c:604
#6  0x000000000040714c in read_MSAT_body (sectorCount=8389121, sectorOffset=<optimized out>, ole2=0x60e420) at src/ole.c:663
#7  read_MSAT (oleh=0x60e6e0, ole2=0x60e420) at src/ole.c:757
#8  ole2_read_header (ole=ole@entry=0x60e420) at src/ole.c:399
#9  0x0000000000407442 in ole2_open_file (file=file@entry=0x7fffffffe752 "xls2csv_ole_ole2_fread_327.crash") at src/ole.c:552
#10 0x0000000000404a62 in xls_open_file (file=0x7fffffffe752 "xls2csv_ole_ole2_fread_327.crash", charset=0x4075ff "UTF-8",
    outError=outError@entry=0x7fffffffe394) at src/xls.c:1471
#11 0x0000000000400f5a in main (argc=2, argv=0x7fffffffe4b8) at src/xls2csv.c:116
(gdb) f 5
#5  0x000000000040666a in sector_read (ole2=0x60e420, buffer=0x7ffff7fe1e10, sid=0) at src/ole.c:604
604         if ((num = ole2_fread(ole2, buffer, ole2->lsector, 1)) != 1) {
(gdb) l
599                     if (xls_debug) fprintf(stderr, "Error: wanted to seek to sector %u (0x%x) loc=%u\n", sid, sid,
600                     (unsigned int)sector_pos(ole2, sid));
601             return -1;
602         }
603
604         if ((num = ole2_fread(ole2, buffer, ole2->lsector, 1)) != 1) {
605             if (xls_debug) fprintf(stderr, "Error: fread wanted 1 got %lu loc=%u\n", (unsigned long)num,
606                     (unsigned int)sector_pos(ole2, sid));
607             return -1;
608         }

POC file

xls2csv_ole_ole2_fread_327.zip

CREDIT

Zhao Liang, Huawei Weiran Labs
evanmiller added a commit that referenced this issue Dec 29, 2018
@evanmiller
Improve bounds-checking. Fixes #36 #37
24044ad 
Thanks to Zhao Liang, Huawei Weiran Labs
@evanmiller
Copy link
Collaborator

Fixed in 24044ad

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evanmiller @leonzhao7