github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #323] Fuzzing issues: help needed #261

New issue
Closed
opened 2026-05-05 12:03:18 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 12:03:18 -06:00
Owner
Copy link

Originally created by @jmcnamara on GitHub (Mar 27, 2021).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/323

Originally assigned to: @jmcnamara on GitHub.

There are 2 fuzzing issues that have been reported:

  • #312 heap-buffer-overflow in utility.c:461:12
  • #313 stack-buffer-overflow in worksheet_insert_image_buffer_opt

I've closed the originals to merge them into this single amalgamated issue but you can see the details in the links.

I'm looking for someone to:

  • Reproduce the issues
  • Propose a fix for each and, after discussion, implement it.
Originally created by @jmcnamara on GitHub (Mar 27, 2021). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/323 Originally assigned to: @jmcnamara on GitHub. There are 2 fuzzing issues that have been reported: - #312 heap-buffer-overflow in utility.c:461:12 - #313 stack-buffer-overflow in worksheet_insert_image_buffer_opt I've closed the originals to merge them into this single amalgamated issue but you can see the details in the links. I'm looking for someone to: - Reproduce the issues - Propose a fix for each and, after discussion, implement it.
gitea-mirror 2026-05-05 12:03:18 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 12:03:22 -06:00
Author
Owner
Copy link

@ANaumann85 commented on GitHub (Apr 4, 2021):

I looked at the buffer-overflow in issue #313 . In that example, the user creates a buffer on the heap, but gives the wrong buffer size to the function "worksheet_insert_image_buffer". At that point, you have very small chances to detect that mistake. In my optinion, the issue #313 is not a bug in the library, but a wrong usage.

<!-- gh-comment-id:813097272 --> @ANaumann85 commented on GitHub (Apr 4, 2021): I looked at the buffer-overflow in issue #313 . In that example, the user creates a buffer on the heap, but gives the wrong buffer size to the function "worksheet_insert_image_buffer". At that point, you have very small chances to detect that mistake. In my optinion, the issue #313 is not a bug in the library, but a wrong usage.
gitea-mirror commented 2026-05-05 12:03:23 -06:00
Author
Owner
Copy link

@ANaumann85 commented on GitHub (Apr 4, 2021):

The issue #312 is a bit delicate and consists of two problems:

  1. It seems, that you rely on the null terminator of a string. For example in the file worksheet.c is a check for the end of the string using !*string. That works only, if your string is really terminated by a 0. But if you get a zero-length array without the null-terminator, then the test does not work.

  2. the function lxw_utf8_strlen also relies on the zero-terminated string. If your string is not zero-terminated, the loop will not stop at the end of the string, but some where else.

Both problems arise, if you got wrongly terminated strings. It is not clear to me, how one should handle these errors. In my opinion, these are user errors.

<!-- gh-comment-id:813103317 --> @ANaumann85 commented on GitHub (Apr 4, 2021): The issue #312 is a bit delicate and consists of two problems: 1. It seems, that you rely on the null terminator of a string. For example in the [file worksheet.c](https://github.com/jmcnamara/libxlsxwriter/blob/9aa3d73a5bd1f18d6777f01d4652ca19940cd0e0/src/worksheet.c#L6673) is a check for the end of the string using `!*string`. That works only, if your string is really terminated by a 0. But if you get a zero-length array without the null-terminator, then the test does not work. 2. the function `lxw_utf8_strlen` also relies on the zero-terminated string. If your string is not zero-terminated, [the loop](https://github.com/jmcnamara/libxlsxwriter/blob/9aa3d73a5bd1f18d6777f01d4652ca19940cd0e0/src/utility.c#L461) will not stop at the end of the string, but some where else. Both problems arise, if you got wrongly terminated strings. It is not clear to me, how one should handle these errors. In my opinion, these are user errors.
gitea-mirror commented 2026-05-05 12:03:25 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Apr 5, 2021):

@ANaumann85 Thank you, I appreciate your analysis. Could you also add those comments to the issues (even if they are marked as closed). Thanks once more.

<!-- gh-comment-id:813274577 --> @jmcnamara commented on GitHub (Apr 5, 2021): @ANaumann85 Thank you, I appreciate your analysis. Could you also add those comments to the issues (even if they are marked as closed). Thanks once more.
gitea-mirror commented 2026-05-05 12:03:26 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Apr 7, 2021):

Closing this merged issue. Any further discussion should happen in the individual bug reports.

<!-- gh-comment-id:815319853 --> @jmcnamara commented on GitHub (Apr 7, 2021): Closing this merged issue. Any further discussion should happen in the individual bug reports.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#261
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?