github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #447] worksheet_set_selection stack-buffer-overflow #351

New issue
Closed
opened 2026-05-05 12:11:21 -06:00 by gitea-mirror · 1 comment
gitea-mirror commented 2026-05-05 12:11:21 -06:00
Owner
Copy link

Originally created by @ym-xie on GitHub (May 30, 2024).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/447

Maybe there exist a bug in worksheet_set_selection when compile with 32bit.
Below is an example

int main() {
    lxw_workbook  *workbook  = workbook_new("demo.xlsx");
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    worksheet_set_selection(worksheet, 2486186032, 12336, 2955948080, 65535);
    workbook_close(workbook);
    return 0;
}

Below is the modified part of CMakeList.txt

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -140,6 +140,8 @@ option(USE_MEM_FILE "Use fmemopen()/open_memstream() in place of temporary files
 option(IOAPI_NO_64 "Disable 64-bit filesystem support" OFF)
 option(USE_DTOA_LIBRARY "Use the locale independent third party Milo Yip DTOA library" OFF)

+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -m32 -fsanitize=address,leak")
+
 if(MSVC)
     option(USE_STATIC_MSVC_RUNTIME "Use the static runtime library" OFF)
 endif()
@@ -294,7 +296,7 @@ target_sources(${PROJECT_NAME}
     PRIVATE ${LXW_SOURCES}
     PUBLIC ${LXW_HEADERS}
 )
-target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_LIBRARIES} ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY})
+target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_ROOT}/libz.a ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY})
 target_compile_definitions(${PROJECT_NAME} PRIVATE ${LXW_PRIVATE_COMPILE_DEFINITIONS})

Below is asan information

=================================================================
==2618841==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffbcd72c at pc 0x56658272 bp 0xffbcd608 sp 0xffbcd1e0
WRITE of size 9 at 0xffbcd72c thread T0
    #0 0x56658271 in vsnprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)
    #1 0x56659587 in __interceptor_snprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x55587) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)
    #2 0x568a0b2e in lxw_rowcol_to_cell /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:128:5
    #3 0x568a0d17 in lxw_rowcol_to_range /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:179:5
    #4 0x567843d9 in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9591:9
    #5 0x566f89f6 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug-worksheet_selection.cpp:11:5
    #6 0xf7981518  (/lib32/libc.so.6+0x21518) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03)
    #7 0xf79815f2 in __libc_start_main (/lib32/libc.so.6+0x215f2) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03)
    #8 0x566374aa in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x334aa) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058)

Address 0xffbcd72c is located in stack of thread T0 at offset 108 in frame
    #0 0x5678405f in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9552

  This frame has 2 object(s):
    [16, 44) 'active_cell' (line 9556)
    [80, 108) 'sqref' (line 9557) <== Memory access at offset 108 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) in vsnprintf
Shadow bytes around the buggy address:
  0x3ff79a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79ad0: 00 00 00 00 00 00 00 00 f1 f1 00 00 00 04 f2 f2
=>0x3ff79ae0: f2 f2 00 00 00[04]f3 f3 f3 f3 00 00 00 00 00 00
  0x3ff79af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ff79b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2618841==ABORTING

Tested on Ubuntu 22

Originally created by @ym-xie on GitHub (May 30, 2024). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/447 Maybe there exist a bug in `worksheet_set_selection` when compile with 32bit. Below is an example ```c++ int main() { lxw_workbook *workbook = workbook_new("demo.xlsx"); lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL); worksheet_set_selection(worksheet, 2486186032, 12336, 2955948080, 65535); workbook_close(workbook); return 0; } ``` Below is the modified part of CMakeList.txt ``` --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -140,6 +140,8 @@ option(USE_MEM_FILE "Use fmemopen()/open_memstream() in place of temporary files option(IOAPI_NO_64 "Disable 64-bit filesystem support" OFF) option(USE_DTOA_LIBRARY "Use the locale independent third party Milo Yip DTOA library" OFF) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -m32 -fsanitize=address,leak") + if(MSVC) option(USE_STATIC_MSVC_RUNTIME "Use the static runtime library" OFF) endif() @@ -294,7 +296,7 @@ target_sources(${PROJECT_NAME} PRIVATE ${LXW_SOURCES} PUBLIC ${LXW_HEADERS} ) -target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_LIBRARIES} ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY}) +target_link_libraries(${PROJECT_NAME} LINK_PUBLIC ${ZLIB_ROOT}/libz.a ${MINIZIP_LIBRARIES} ${LIB_CRYPTO} ${OPENSSL_CRYPTO_LIBRARY}) target_compile_definitions(${PROJECT_NAME} PRIVATE ${LXW_PRIVATE_COMPILE_DEFINITIONS}) ``` Below is asan information ```shell ================================================================= ==2618841==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffbcd72c at pc 0x56658272 bp 0xffbcd608 sp 0xffbcd1e0 WRITE of size 9 at 0xffbcd72c thread T0 #0 0x56658271 in vsnprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) #1 0x56659587 in __interceptor_snprintf (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x55587) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) #2 0x568a0b2e in lxw_rowcol_to_cell /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:128:5 #3 0x568a0d17 in lxw_rowcol_to_range /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:179:5 #4 0x567843d9 in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9591:9 #5 0x566f89f6 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug-worksheet_selection.cpp:11:5 #6 0xf7981518 (/lib32/libc.so.6+0x21518) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03) #7 0xf79815f2 in __libc_start_main (/lib32/libc.so.6+0x215f2) (BuildId: 31c8f0d70dc2786b753d53ec314e2c6e71247c03) #8 0x566374aa in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x334aa) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) Address 0xffbcd72c is located in stack of thread T0 at offset 108 in frame #0 0x5678405f in worksheet_set_selection /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:9552 This frame has 2 object(s): [16, 44) 'active_cell' (line 9556) [80, 108) 'sqref' (line 9557) <== Memory access at offset 108 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug-worksheet_selection+0x54271) (BuildId: 004eabb0ed812d3caf7cb56a5b67ace0c4029058) in vsnprintf Shadow bytes around the buggy address: 0x3ff79a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79ad0: 00 00 00 00 00 00 00 00 f1 f1 00 00 00 04 f2 f2 =>0x3ff79ae0: f2 f2 00 00 00[04]f3 f3 f3 f3 00 00 00 00 00 00 0x3ff79af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x3ff79b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2618841==ABORTING ``` Tested on Ubuntu 22
gitea-mirror commented 2026-05-05 12:11:26 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Jun 5, 2024):

Fixed on main. Thanks.

<!-- gh-comment-id:2150816930 --> @jmcnamara commented on GitHub (Jun 5, 2024): Fixed on main. Thanks.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#351
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?