github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #486] NULL Pointer Dereference in libxlsxwriter Chart Processing #380

New issue
Closed
opened 2026-05-05 12:13:49 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 12:13:49 -06:00
Owner
Copy link

Originally created by @LkkkLxy on GitHub (Sep 29, 2025).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/486

Originally assigned to: @jmcnamara on GitHub.

Describe the bug

A NULL pointer dereference vulnerability exists in libxlsxwriter's chart processing workflow. The issue stems from inadequate input validation in workbook_add_chart() which accepts invalid chart types, leading to incomplete initialization of chart structures. When workbook_close() attempts to process these malformed charts, a NULL pointer dereference occurs in _write_chart_files().

Root Cause Analysis

Technical Details

  1. Input Validation Failure: workbook_add_chart(workbook, 0) accepts invalid chart type 0
  2. Incomplete Initialization: _chart_initialize() only prints a warning for invalid types but doesn't initialize critical function pointers
  3. NULL Pointer Dereference: _write_chart_files() calls lxw_chart_assemble_xml_file() which attempts to call NULL function pointers
  4. Crash Location: SEGV occurs at address 0x000000000000 in packager.c:540

Call Chain

workbook_close() 
  → lxw_create_package()
    → _write_chart_files() 
      → lxw_chart_assemble_xml_file()
        → (*chart->write_chart_type)() // NULL function pointer call
          → SEGV at 0x000000000000

To Reproduce

Ultra-minimal reproduction code (6 APIs, tested and verified):

#include <xlsxwriter.h>
#include <stdio.h>

int main() {
    printf("ULTRA MINIMAL: 6 APIs only - libxlsxwriter crash\n");
    
    // 1. Create workbook
    lxw_workbook *workbook = workbook_new("test.xlsx");
    if (!workbook) return 1;
    
    // 2. Add worksheet (required for chart insertion)
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    if (!worksheet) {
        workbook_close(workbook);
        return 1;
    }
    
    // 3. Create chart with INVALID type 0 - KEY TRIGGER
    lxw_chart *chart = workbook_add_chart(workbook, 0);
    if (chart) {
        // 4. Add series (required - chart must have series)
        lxw_chart_series *series = chart_add_series(chart, "", "");
        
        // 5. Insert chart into worksheet (required to trigger processing)
        worksheet_insert_chart(worksheet, 0, 0, chart);
    }
    
    printf("Calling workbook_close - crash expected...\n");
    
    // 6. Close workbook - TRIGGERS NULL POINTER DEREFERENCE
    workbook_close(workbook);
    
    printf("ERROR: Should never reach this line!\n");
    return 0;
}

Compilation and Testing

# In libxlsxwriter docker container
gcc -g -fsanitize=address -I/src/libxlsxwriter/include \
    ultra_minimal.c -L/src/libxlsxwriter-install/lib -lxlsxwriter -lz \
    -o ultra_minimal && ./ultra_minimal

Expected behavior

The library should:

  1. Validate chart types during creation and reject invalid types with clear error codes
  2. Fail gracefully for invalid inputs rather than creating partially initialized objects
  3. Never crash regardless of input combination
static lxw_error _write_chart_files(lxw_packager *self) {
    // ...
    lxw_chart_assemble_xml_file(chart);  // Calls NULL function pointer
}

Version

  • libxlsxwriter version: Current git master
  • OS and version: Linux x86_64
  • Compiler: clang with AddressSanitizer
  • Build configuration: Docker container build
  • Testing: Verified reproduction in libxlsxwriter docker environment

Additional Context

This bug was discovered through fuzz testing.

By examining the code, I believe that since LXW_CHART_NONE is defined in the enum, it is inappropriate to leave it unhandled. This does not fall under API misuse. It can be addressed simply with an if check, or even with an assert. (Of course, for values outside the range of the enum provided to users, we don’t need to handle them — that would be API misuse.)

Of course, there are other higher-cost approaches, but I don’t think it is appropriate to introduce significant overhead for such a minor bug. Since I am a fuzz tester and lack prior knowledge of this library, my proposed solution may not be entirely accurate. If you have other ideas, I’d be happy to discuss them.

Originally created by @LkkkLxy on GitHub (Sep 29, 2025). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/486 Originally assigned to: @jmcnamara on GitHub. ## Describe the bug A NULL pointer dereference vulnerability exists in libxlsxwriter's chart processing workflow. The issue stems from inadequate input validation in `workbook_add_chart()` which accepts invalid chart types, leading to incomplete initialization of chart structures. When `workbook_close()` attempts to process these malformed charts, a NULL pointer dereference occurs in `_write_chart_files()`. ## Root Cause Analysis ### Technical Details 1. **Input Validation Failure**: `workbook_add_chart(workbook, 0)` accepts invalid chart type `0` 2. **Incomplete Initialization**: `_chart_initialize()` only prints a warning for invalid types but doesn't initialize critical function pointers 3. **NULL Pointer Dereference**: `_write_chart_files()` calls `lxw_chart_assemble_xml_file()` which attempts to call NULL function pointers 4. **Crash Location**: SEGV occurs at address 0x000000000000 in packager.c:540 ### Call Chain ``` workbook_close() → lxw_create_package() → _write_chart_files() → lxw_chart_assemble_xml_file() → (*chart->write_chart_type)() // NULL function pointer call → SEGV at 0x000000000000 ``` ## To Reproduce **Ultra-minimal reproduction code (6 APIs, tested and verified):** ```c #include <xlsxwriter.h> #include <stdio.h> int main() { printf("ULTRA MINIMAL: 6 APIs only - libxlsxwriter crash\n"); // 1. Create workbook lxw_workbook *workbook = workbook_new("test.xlsx"); if (!workbook) return 1; // 2. Add worksheet (required for chart insertion) lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL); if (!worksheet) { workbook_close(workbook); return 1; } // 3. Create chart with INVALID type 0 - KEY TRIGGER lxw_chart *chart = workbook_add_chart(workbook, 0); if (chart) { // 4. Add series (required - chart must have series) lxw_chart_series *series = chart_add_series(chart, "", ""); // 5. Insert chart into worksheet (required to trigger processing) worksheet_insert_chart(worksheet, 0, 0, chart); } printf("Calling workbook_close - crash expected...\n"); // 6. Close workbook - TRIGGERS NULL POINTER DEREFERENCE workbook_close(workbook); printf("ERROR: Should never reach this line!\n"); return 0; } ``` ### Compilation and Testing ``` # In libxlsxwriter docker container gcc -g -fsanitize=address -I/src/libxlsxwriter/include \ ultra_minimal.c -L/src/libxlsxwriter-install/lib -lxlsxwriter -lz \ -o ultra_minimal && ./ultra_minimal ``` ## Expected behavior The library should: 1. **Validate chart types** during creation and reject invalid types with clear error codes 2. **Fail gracefully** for invalid inputs rather than creating partially initialized objects 3. **Never crash** regardless of input combination ```c static lxw_error _write_chart_files(lxw_packager *self) { // ... lxw_chart_assemble_xml_file(chart); // Calls NULL function pointer } ``` ## Version - **libxlsxwriter version**: Current git master - **OS and version**: Linux x86_64 - **Compiler**: clang with AddressSanitizer - **Build configuration**: Docker container build - **Testing**: Verified reproduction in libxlsxwriter docker environment ## Additional Context This bug was discovered through fuzz testing. By examining the code, I believe that since LXW_CHART_NONE is defined in the enum, it is inappropriate to leave it unhandled. This does not fall under API misuse. It can be addressed simply with an if check, or even with an assert. (Of course, for values outside the range of the enum provided to users, we don’t need to handle them — that would be API misuse.) Of course, there are other higher-cost approaches, but I don’t think it is appropriate to introduce significant overhead for such a minor bug. Since I am a fuzz tester and lack prior knowledge of this library, my proposed solution may not be entirely accurate. If you have other ideas, I’d be happy to discuss them.
gitea-mirror 2026-05-05 12:13:49 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 12:13:54 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Sep 29, 2025):

Thanks for the detailed report. I'll look into it.

<!-- gh-comment-id:3345928690 --> @jmcnamara commented on GitHub (Sep 29, 2025): Thanks for the detailed report. I'll look into it.
gitea-mirror commented 2026-05-05 12:13:55 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Sep 29, 2025):

Fixed on main. Thanks for the report.

<!-- gh-comment-id:3348787728 --> @jmcnamara commented on GitHub (Sep 29, 2025): Fixed on main. Thanks for the report.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#380
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?