github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #482] Bug: UndefinedBehaviorSanitizer found with fuzz tools #377

New issue
Closed
opened 2026-05-05 12:13:32 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 12:13:32 -06:00
Owner
Copy link

Originally created by @tangjm24 on GitHub (Jun 2, 2025).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/482

Originally assigned to: @jmcnamara on GitHub.

I have found several bugs through fuzzing. To avoid cluttering the issues page, I’ve consolidated all the bugs I discovered into this single issue. I hope this is helpful to the developers.

Environment

libucl version: Latest commit [21c11a2](21c11a2052)
System: Ubuntu 22.04.5 LTS (Jammy)
Kernel/Release: 22.04

Bug Reproduction

driver code

see 

[fuzzer_v1.txt](https://github.com/user-attachments/files/20548088/fuzzer_v1.txt)

compile:

#!/bin/bash

set -e

export AFL_HOME=/path/to/your/afl

cd ..

if [ -d "libxlsxwriter-1.2.2" ]; then
    echo "Directory libxlsxwriter-1.2.2 already exists. Skipping download."
else
    if [ -f "v1.2.2.tar.gz" ]; then  
        echo "File v1.2.2.tar.gz already exists. Skipping download."
    else
        wget https://github.com/jmcnamara/libxlsxwriter/archive/refs/tags/v1.2.2.tar.gz
    fi
fi

rm -rf libxlsxwriter-1.2.2
tar -xvf v1.2.2.tar.gz
cd libxlsxwriter-1.2.2/

LIB_CONFIG_BASE_DIR=$(pwd)
INSTALL_PREFIX="${LIB_CONFIG_BASE_DIR}/libxlsxwriter_install"
echo "libxlsxwriter will be installed to: ${INSTALL_PREFIX}"
mkdir -p "${INSTALL_PREFIX}"

echo $CC

mkdir build && cd build

CC=$AFL_HOME/afl-clang \
CXX=$AFL_HOME/afl-clang++ \
CFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
CXXFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
cmake .. \
  -DENABLE_LUA=OFF \
  -DBUILD_SHARED_LIBS=OFF \

make -j$(nproc)

cd ../../libxsl_test

$AFL_HOME/afl-clang fuzzer_v1.c -g -O1 -fsanitize=address,undefined \
  -I/path/to/include/dir \
  -L/path/to/lib/dir\
  -lxlsxwriter \
  -lm\
  -lz\
  -o afl_fuzzer


chmod +x gen_corpus.py
rm -rf ./corpus
./gen_corpus.py
rm -rf IN


$AFL_HOME/afl-cmin -i ./corpus -o ./IN  -m none ./afl_fuzzer @@

$AFL_HOME/afl-fuzz -i IN -o OUT -m none ./afl_fuzzer @@

# $AFL_HOME/afl-fuzz  -i OUT_2/crashes/ -o peruvian_crashes -m none -C ./afl_fuzzer @@

crash.txt

Fix Recommondation

crash info

/data/tjm/code/fuzz/libxlsxwriter-1.2.2/src/workbook.c:740:13: runtime error: addition of unsigned offset to 0x7ffeb3fed821 overflowed to 0x7ffeb3fed820
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /data/tjm/code/fuzz/libxlsxwriter-1.2.2/src/workbook.c:740:13 in

how to fix?
change

        if (lxw_str_is_empty(tmp_str) || lxw_str_is_empty(worksheet_name))
            goto mem_error;

        /* Remove any worksheet quoting. */
        if (worksheet_name[0] == '\'')
            worksheet_name++;
        if (worksheet_name[strlen(worksheet_name) - 1] == '\'')
            worksheet_name[strlen(worksheet_name) - 1] = '\0';

to

        if (lxw_str_is_empty(tmp_str) || lxw_str_is_empty(worksheet_name))
            goto mem_error;

        /* Remove any worksheet quoting. */

       if (strlen(worksheet_name) == 0) return;
        if (worksheet_name[0] == '\'')
            worksheet_name++;
        if (worksheet_name[strlen(worksheet_name) - 1] == '\'')
            worksheet_name[strlen(worksheet_name) - 1] = '\0';
Originally created by @tangjm24 on GitHub (Jun 2, 2025). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/482 Originally assigned to: @jmcnamara on GitHub. I have found several bugs through fuzzing. To avoid cluttering the issues page, I’ve consolidated all the bugs I discovered into this single issue. I hope this is helpful to the developers. ## Environment libucl version: Latest commit [[21c11a2](https://github.com/jmcnamara/libxlsxwriter/commit/21c11a2052162b24c121b766e4373b081ea07ff6)](https://github.com/jmcnamara/libxlsxwriter/commit/21c11a2052162b24c121b766e4373b081ea07ff6) System: Ubuntu 22.04.5 LTS (Jammy) Kernel/Release: 22.04 --- ## Bug Reproduction driver code ```c++ see [fuzzer_v1.txt](https://github.com/user-attachments/files/20548088/fuzzer_v1.txt) ``` compile: ```shell #!/bin/bash set -e export AFL_HOME=/path/to/your/afl cd .. if [ -d "libxlsxwriter-1.2.2" ]; then echo "Directory libxlsxwriter-1.2.2 already exists. Skipping download." else if [ -f "v1.2.2.tar.gz" ]; then echo "File v1.2.2.tar.gz already exists. Skipping download." else wget https://github.com/jmcnamara/libxlsxwriter/archive/refs/tags/v1.2.2.tar.gz fi fi rm -rf libxlsxwriter-1.2.2 tar -xvf v1.2.2.tar.gz cd libxlsxwriter-1.2.2/ LIB_CONFIG_BASE_DIR=$(pwd) INSTALL_PREFIX="${LIB_CONFIG_BASE_DIR}/libxlsxwriter_install" echo "libxlsxwriter will be installed to: ${INSTALL_PREFIX}" mkdir -p "${INSTALL_PREFIX}" echo $CC mkdir build && cd build CC=$AFL_HOME/afl-clang \ CXX=$AFL_HOME/afl-clang++ \ CFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \ CXXFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \ cmake .. \ -DENABLE_LUA=OFF \ -DBUILD_SHARED_LIBS=OFF \ make -j$(nproc) cd ../../libxsl_test $AFL_HOME/afl-clang fuzzer_v1.c -g -O1 -fsanitize=address,undefined \ -I/path/to/include/dir \ -L/path/to/lib/dir\ -lxlsxwriter \ -lm\ -lz\ -o afl_fuzzer chmod +x gen_corpus.py rm -rf ./corpus ./gen_corpus.py rm -rf IN $AFL_HOME/afl-cmin -i ./corpus -o ./IN -m none ./afl_fuzzer @@ $AFL_HOME/afl-fuzz -i IN -o OUT -m none ./afl_fuzzer @@ # $AFL_HOME/afl-fuzz -i OUT_2/crashes/ -o peruvian_crashes -m none -C ./afl_fuzzer @@ ``` [crash.txt](https://github.com/user-attachments/files/20548081/crash.txt) --- ## Fix Recommondation crash info ```txt /data/tjm/code/fuzz/libxlsxwriter-1.2.2/src/workbook.c:740:13: runtime error: addition of unsigned offset to 0x7ffeb3fed821 overflowed to 0x7ffeb3fed820 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /data/tjm/code/fuzz/libxlsxwriter-1.2.2/src/workbook.c:740:13 in ``` how to fix? change ```c++ if (lxw_str_is_empty(tmp_str) || lxw_str_is_empty(worksheet_name)) goto mem_error; /* Remove any worksheet quoting. */ if (worksheet_name[0] == '\'') worksheet_name++; if (worksheet_name[strlen(worksheet_name) - 1] == '\'') worksheet_name[strlen(worksheet_name) - 1] = '\0'; ``` to ```c++ if (lxw_str_is_empty(tmp_str) || lxw_str_is_empty(worksheet_name)) goto mem_error; /* Remove any worksheet quoting. */ if (strlen(worksheet_name) == 0) return; if (worksheet_name[0] == '\'') worksheet_name++; if (worksheet_name[strlen(worksheet_name) - 1] == '\'') worksheet_name[strlen(worksheet_name) - 1] = '\0'; ```
gitea-mirror 2026-05-05 12:13:32 -06:00
gitea-mirror commented 2026-05-05 12:13:39 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Jun 2, 2025):

$AFL_HOME/afl-clang fuzzer_v1.c

Please attach the fuzzer_v1.c file.

chmod +x gen_corpus.py

Please include this as well, if required.

I hope this is helpful to the developers.

I appreciate that you are trying to be helpful but a simple reproducible test case would be better. Or even the API and string that causes the crash.

how to fix?

if (strlen(worksheet_name) == 0) return;

That check is already in place 2 lines previously.

From the context I'd guess that the crash occurs with a defined name like '!name so that the second strlen(worksheet_name) is zero when checked. That looks like an issue regardless of the fuzzer so I'll push a fix for that.

<!-- gh-comment-id:2932091070 --> @jmcnamara commented on GitHub (Jun 2, 2025): > $AFL_HOME/afl-clang fuzzer_v1.c Please attach the `fuzzer_v1.c` file. > chmod +x gen_corpus.py Please include this as well, if required. > I hope this is helpful to the developers. I appreciate that you are trying to be helpful but a simple reproducible test case would be better. Or even the API and string that causes the crash. > how to fix? > > if (strlen(worksheet_name) == 0) return; That check is already in place 2 lines previously. From the context I'd guess that the crash occurs with a defined name like `'!name` so that the second `strlen(worksheet_name)` is zero when checked. That looks like an issue regardless of the fuzzer so I'll push a fix for that.
gitea-mirror commented 2026-05-05 12:13:40 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Jun 30, 2025):

Fixed in v1.2.3.

<!-- gh-comment-id:3021133603 --> @jmcnamara commented on GitHub (Jun 30, 2025): Fixed in v1.2.3.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#377
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?