github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #487] Global Buffer Overflow in format_set_pattern() Function #381

New issue
Closed
opened 2026-05-05 12:13:50 -06:00 by gitea-mirror · 1 comment
gitea-mirror commented 2026-05-05 12:13:50 -06:00
Owner
Copy link

Originally created by @LkkkLxy on GitHub (Sep 30, 2025).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/487

Summary

A global buffer overflow vulnerability exists in the libxlsxwriter library when using format_set_pattern() with invalid pattern values. This can lead to memory corruption and program crashes.

Environment

  • Library Version: Latest (as of analysis)
  • Platform: Linux x86_64
  • Compiler: clang with AddressSanitizer
  • Detection Tool: AddressSanitizer

Vulnerability Details

  • Type: Global buffer overflow
  • Location: _write_fill() function in /src/libxlsxwriter/src/styles.c:732
  • Affected Function: format_set_pattern()

Root Cause

The format_set_pattern() function accepts pattern values without proper bounds checking. When an invalid pattern value (e.g., 19) is used, it causes an out-of-bounds access in the _write_fill() function during workbook serialization. The patterns array in _write_fill() has a fixed size that doesn't accommodate all possible pattern values.

Steps to Reproduce

  1. Compile the following test program with AddressSanitizer:
clang test.c -o test -fsanitize=address -I<libxlsxwriter_include_path> -lxlsxwriter -lz
  1. Run the test program:
#include <xlsxwriter.h>
#include <stdio.h>

int main() {
    // Create workbook
    lxw_workbook *workbook = workbook_new("test.xlsx");
    if (!workbook) return 1;

    // Add worksheet
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    if (!worksheet) {
        workbook_close(workbook);
        return 1;
    }

    // Add format
    lxw_format *format = workbook_add_format(workbook);
    if (!format) {
        workbook_close(workbook);
        return 1;
    }

    // Set invalid pattern value - triggers the vulnerability
    format_set_pattern(format, 19);

    // Use the format (required to trigger the bug during close)
    worksheet_write_string(worksheet, 0, 0, "Test", format);

    // This will crash in _write_fill()
    workbook_close(workbook);

    return 0;
}

Expected Behavior

The function should either:

  1. Accept only valid pattern values and reject invalid ones with an error
  2. Handle invalid pattern values gracefully without causing memory corruption

Actual Behavior

The program crashes with a global buffer overflow:

==56525==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556a9faf5c18
READ of size 8 at 0x556a9faf5c18 thread T0
    #0 0x556a9fa67c5a in _write_fill /src/libxlsxwriter/src/styles.c:732:35
    #1 0x556a9fa62bff in _write_fills /src/libxlsxwriter/src/styles.c:777:13
    #2 0x556a9fa62bff in lxw_styles_assemble_xml_file /src/libxlsxwriter/src/styles.c:1426:5
    #3 0x556a9fa53e5f in _write_styles_file /src/libxlsxwriter/src/packager.c:1417:5
    #4 0x556a9fa4fea1 in lxw_create_package /src/libxlsxwriter/src/packager.c:2211:13
    #5 0x556a9f9b82f7 in workbook_close /src/libxlsxwriter/src/workbook.c:2299:13

Proposed Fix

  1. Add bounds checking in format_set_pattern(): 
     if (pattern > LXW_PATTERN_GRAY_0625) {  
       LXW_WARN_FORMAT1("Invalid pattern value: %d, using LXW_PATTERN_NONE instead", pattern);
       pattern = LXW_PATTERN_NONE;  
   }

Additional Information

This bug was discovered through fuzz testing.

Originally created by @LkkkLxy on GitHub (Sep 30, 2025). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/487 ## Summary A global buffer overflow vulnerability exists in the libxlsxwriter library when using `format_set_pattern()` with invalid pattern values. This can lead to memory corruption and program crashes. ## Environment - **Library Version**: Latest (as of analysis) - **Platform**: Linux x86_64 - **Compiler**: clang with AddressSanitizer - **Detection Tool**: AddressSanitizer ## Vulnerability Details - **Type**: Global buffer overflow - **Location**: `_write_fill()` function in `/src/libxlsxwriter/src/styles.c:732` - **Affected Function**: `format_set_pattern()` ## Root Cause The `format_set_pattern()` function accepts pattern values without proper bounds checking. When an invalid pattern value (e.g., 19) is used, it causes an out-of-bounds access in the `_write_fill()` function during workbook serialization. The `patterns` array in `_write_fill()` has a fixed size that doesn't accommodate all possible pattern values. ## Steps to Reproduce 1. Compile the following test program with AddressSanitizer: ```bash clang test.c -o test -fsanitize=address -I<libxlsxwriter_include_path> -lxlsxwriter -lz ``` 2. Run the test program: ```c #include <xlsxwriter.h> #include <stdio.h> int main() { // Create workbook lxw_workbook *workbook = workbook_new("test.xlsx"); if (!workbook) return 1; // Add worksheet lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL); if (!worksheet) { workbook_close(workbook); return 1; } // Add format lxw_format *format = workbook_add_format(workbook); if (!format) { workbook_close(workbook); return 1; } // Set invalid pattern value - triggers the vulnerability format_set_pattern(format, 19); // Use the format (required to trigger the bug during close) worksheet_write_string(worksheet, 0, 0, "Test", format); // This will crash in _write_fill() workbook_close(workbook); return 0; } ``` ## Expected Behavior The function should either: 1. Accept only valid pattern values and reject invalid ones with an error 2. Handle invalid pattern values gracefully without causing memory corruption ## Actual Behavior The program crashes with a global buffer overflow: ``` ==56525==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556a9faf5c18 READ of size 8 at 0x556a9faf5c18 thread T0 #0 0x556a9fa67c5a in _write_fill /src/libxlsxwriter/src/styles.c:732:35 #1 0x556a9fa62bff in _write_fills /src/libxlsxwriter/src/styles.c:777:13 #2 0x556a9fa62bff in lxw_styles_assemble_xml_file /src/libxlsxwriter/src/styles.c:1426:5 #3 0x556a9fa53e5f in _write_styles_file /src/libxlsxwriter/src/packager.c:1417:5 #4 0x556a9fa4fea1 in lxw_create_package /src/libxlsxwriter/src/packager.c:2211:13 #5 0x556a9f9b82f7 in workbook_close /src/libxlsxwriter/src/workbook.c:2299:13 ``` ## Proposed Fix 1. **Add bounds checking in `format_set_pattern()`**: ```c if (pattern > LXW_PATTERN_GRAY_0625) { LXW_WARN_FORMAT1("Invalid pattern value: %d, using LXW_PATTERN_NONE instead", pattern); pattern = LXW_PATTERN_NONE; } ``` ## Additional Information This bug was discovered through fuzz testing.
gitea-mirror commented 2026-05-05 12:13:54 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Sep 30, 2025):

Fixed on main along with several other similar potential issues.

<!-- gh-comment-id:3353384983 --> @jmcnamara commented on GitHub (Sep 30, 2025): Fixed on main along with several other similar potential issues.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#381
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?