Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV in xls2csv.c:199 (strcmp((char *)cell->str, "bool")) #84

Closed
setsal opened this issue Nov 27, 2020 · 2 comments
Closed

SIGSEGV in xls2csv.c:199 (strcmp((char *)cell->str, "bool")) #84

setsal opened this issue Nov 27, 2020 · 2 comments

Comments

@setsal
Copy link

@setsal setsal commented Nov 27, 2020

Description

With specific xls file input, it will cause segmentation fault when processing xls cell in strcmp().

Backtrace to the xls2csv source code, I think this bug may be due to the null cell->str pointer dereference or the xls format checking bypass in xls_open_file()

Test Version

libxls dev version

Test Environment

libxls/.libs on  dev
➜ uname -a
Linux typelansq 5.6.0-kali1-amd64 #1 SMP Debian 5.6.7-1kali1 (2020-05-12) x86_64 GNU/Linux

libxls/.libs on  dev
➜ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/9/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 9.3.0-13' --with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-9 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-9-F9gimE/gcc-9-9.3.0/debian/tmp-nvptx/usr,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-mutex
Thread model: posix
gcc version 9.3.0 (Debian 9.3.0-13)

libxls/.libs on  dev
➜ file poc_0*
poc_01.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: cleit, Last Saved By: leitiennec, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Oct 14 23:33:28 1996, Last Saved Time/Date: Sat Feb 21 15:49:43 2009, Security: 0
poc_02.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: cleit, Last Saved By: leitiennec, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Oct 14 23:33:28 1996, Last Saved Time/Date: Sat Feb 21 15:49:43 2009, Security: 0

GDB and Backtrace

libxls/.libs on  dev took 4m 40s
➜ LD_LIBRARY_PATH=. gdb ./xls2csv

gdb-peda$ run ./poc_01.xls
.
.
Legend: code, data, rodata, heap, value
Stopped reason: SIGSEGV
0x0000555555555399 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffdbe8) at src/xls2csv.c:199
199                                                     if (!strcmp((char *)cell->str, "bool")) // its boolean, and test cell->d
gdb-peda$ bt
#0  0x0000555555555399 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffdbe8) at src/xls2csv.c:199
#1  0x00007ffff7df1cca in __libc_start_main (main=0x555555555160 <main>, argc=0x2, argv=0x7fffffffdbe8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffdbd8) at ../csu/libc-start.c:308
#2  0x000055555555561a in _start ()
gdb-peda$ l
194                         // formula
195                                             if (cell->l == 0) // its a number
196                                             {
197                                                     OutputNumber(cell->d);
198                                             } else {
199                                                     if (!strcmp((char *)cell->str, "bool")) // its boolean, and test cell->d
200                                                     {
201                                                             OutputString((int) cell->d ? "true" : "false");
202                                                     } else if (!strcmp((char *)cell->str, "error")) // formula is in error
203                                                     {
gdb-peda$ p *cell
$2 = {
  id = 0x6,
  row = 0x17,
  col = 0x2,
  xf = 0xf,
  str = 0x0,
  d = 0,
  l = 0xffff,
  width = 0x924,
  colspan = 0x0,
  rowspan = 0x0,
  isHidden = 0x0
}

POC file

poc_01.xls
poc_02.xls

If you need any further information, please feel free to contact me.

Thanks,
setsal

evanmiller added a commit that referenced this issue Nov 27, 2020
See #84
@evanmiller
Copy link
Collaborator

@evanmiller evanmiller commented Nov 27, 2020

Thanks for the report! Should be fixed in dbed5f2

@evanmiller
Copy link
Collaborator

@evanmiller evanmiller commented Jan 4, 2021

Fixed in libxls 1.6.2

@evanmiller evanmiller closed this Jan 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants