github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-21 06:45:21 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

Changes: document memory safety fixes for 1.2.5

Browse source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bill Denney 2026-04-05 18:56:12 +00:00
parent da95035568
commit 74e54063af
1 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
Changes.txt
View file

@ -13,6 +13,42 @@
build process. build process.
## 1.2.5 (unreleased)
- Fixed a heap buffer overflow in `worksheet_data_validation_cell()` and
`worksheet_data_validation_range()` when a validation list contained 256 or
more items. The internal `_validation_list_length()` helper used a `uint8_t`
loop counter and an early-exit guard that caused it to under-count long
lists, returning 255 for a list whose true combined length was 511
characters. The caller's length check therefore passed, and
`_validation_list_to_csv()` was invoked. That function also used a `uint8_t`
counter which wrapped to 0 after processing 255 items, creating an infinite
loop that overflowed the 1023-byte output buffer.
Both counters changed to `size_t`; the early-exit guard removed from
`_validation_list_length()` so the actual total length is always returned.
- Fixed quadratic memory over-allocation in `worksheet_add_table()` when
default column headers are generated. `_set_default_table_columns()`
called `calloc(num_cols, sizeof(lxw_table_column))` inside a loop that ran
`num_cols` times, allocating `num_cols` structs per slot when only one was
needed. Total allocation grew as `num_cols²`. At Excel's 16,384-column
limit this exceeds 10 GB, causing `calloc` to fail and the function to
return `LXW_ERROR_MEMORY_MALLOC_FAILED`.
- Fixed a missing null terminator after `strncpy` in
`lxw_rowcol_to_formula_abs()`. If the quoted sheet name were exactly
`LXW_MAX_FORMULA_RANGE_LENGTH - 1` bytes the buffer would not be
null-terminated and the immediately following `strlen()` call would read
past the end of the buffer. Not reachable with valid sheet names (capped
at 31 characters), but fixed defensively.
- Fixed undefined behavior in `lxw_str_tolower()`: loop counter changed from
`int` to `size_t` (correct type for string indexing), and the `tolower()`
argument now carries the required `(unsigned char)` cast to avoid undefined
behavior on bytes with the high bit set.
## 1.2.4 Jan 6 2026 ## 1.2.4 Jan 6 2026
- Added validation of `lxw_datetime` fields to ensure that they are - Added validation of `lxw_datetime` fields to ensure that they are