github-starred/libxlsxwriter

Fork 0

mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00

[GH-ISSUE #490] Infinite Loop in workbook_close() with Invalid Chart Scale Parameters #382

New issue

Closed

opened 2026-05-05 12:14:05 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 12:14:05 -06:00

Owner

Originally created by @LkkkLxy on GitHub (Oct 11, 2025).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/490

Originally assigned to: @jmcnamara on GitHub.

Description

An infinite loop vulnerability exists in libxlsxwriter that causes the program to hang indefinitely when workbook_close() is called after inserting a chart with infinite or extremely large scale values in lxw_chart_options.

Steps to Reproduce

Environment

OS: Linux (tested on Ubuntu with Docker)
libxlsxwriter version: Current git master
Compiler: clang with AddressSanitizer

Compilation Command

clang test_infinite_loop.c -o test_infinite_loop \
    -fsanitize=address \
    -I/path/to/libxlsxwriter/include \
    /path/to/libxlsxwriter.a \
    -lz -lm

Minimal Test Case

#include <xlsxwriter.h>
#include <math.h>
#include <stdio.h>

int main() {
    // Create workbook
    lxw_workbook *workbook = workbook_new("/tmp/test.xlsx");
    if (!workbook) return 1;

    // Add worksheet
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    if (!worksheet) {
        workbook_close(workbook);
        return 1;
    }

    // Add chart
    lxw_chart *chart = workbook_add_chart(workbook, LXW_CHART_LINE);
    if (!chart) {
        workbook_close(workbook);
        return 1;
    }

    // Add data series
    chart_add_series(chart, NULL, "=Sheet1!$A$1:$A$5");

    // Insert chart with infinite x_scale - triggers infinite loop
    lxw_chart_options chart_opts = {0};
    chart_opts.x_scale = INFINITY;  // This causes the bug
    chart_opts.y_scale = 1.0;

    worksheet_insert_chart_opt(worksheet, 0, 0, chart, &chart_opts);

    // This call hangs indefinitely
    printf("Calling workbook_close...\n");
    workbook_close(workbook);  // Program hangs here
    printf("Should never reach here\n");

    return 0;
}

Expected Behavior

The library should either:

Validate the x_scale and y_scale parameters and return an error for invalid values (INFINITY, NAN, negative values)
Handle extreme values gracefully without hanging

Actual Behavior

The program hangs indefinitely in workbook_close() and must be forcefully terminated.

Verification

$ timeout 5 ./test_infinite_loop
Calling workbook_close...
# Process hangs and is killed after 5 seconds

Root Cause

The infinite loop occurs in src/worksheet.c:3010 in the _worksheet_position_object_pixels() function:

/* Subtract the underlying cell widths to find the end cell. */
while (width >= _worksheet_size_col(self, col_end, anchor)) {
    width -= _worksheet_size_col(self, col_end, anchor);
    col_end++;
}

When chart_opts.x_scale is set to INFINITY:

The computed width becomes INFINITY
The loop condition width >= _worksheet_size_col(...) is always true
Subtracting from infinity still leaves infinity: INFINITY - finite_value = INFINITY
The loop never terminates

Call Stack

#4  _worksheet_size_col at worksheet.c:2815
#5  _worksheet_position_object_pixels at worksheet.c:3011
#6  _worksheet_position_object_emus at worksheet.c:3050
#7  lxw_worksheet_prepare_chart at worksheet.c:3674
#8  _prepare_drawings at workbook.c:1238
#9  workbook_close at workbook.c:2272

Additional Information

This bug is detected by fuzzing.

Originally created by @LkkkLxy on GitHub (Oct 11, 2025). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/490 Originally assigned to: @jmcnamara on GitHub. ## Description An infinite loop vulnerability exists in libxlsxwriter that causes the program to hang indefinitely when `workbook_close()` is called after inserting a chart with infinite or extremely large scale values in `lxw_chart_options`. ## Steps to Reproduce ### Environment - **OS**: Linux (tested on Ubuntu with Docker) - **libxlsxwriter version**: Current git master - **Compiler**: clang with AddressSanitizer ### Compilation Command ```bash clang test_infinite_loop.c -o test_infinite_loop \ -fsanitize=address \ -I/path/to/libxlsxwriter/include \ /path/to/libxlsxwriter.a \ -lz -lm ``` ### Minimal Test Case ```c #include <xlsxwriter.h> #include <math.h> #include <stdio.h> int main() { // Create workbook lxw_workbook *workbook = workbook_new("/tmp/test.xlsx"); if (!workbook) return 1; // Add worksheet lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL); if (!worksheet) { workbook_close(workbook); return 1; } // Add chart lxw_chart *chart = workbook_add_chart(workbook, LXW_CHART_LINE); if (!chart) { workbook_close(workbook); return 1; } // Add data series chart_add_series(chart, NULL, "=Sheet1!$A$1:$A$5"); // Insert chart with infinite x_scale - triggers infinite loop lxw_chart_options chart_opts = {0}; chart_opts.x_scale = INFINITY; // This causes the bug chart_opts.y_scale = 1.0; worksheet_insert_chart_opt(worksheet, 0, 0, chart, &chart_opts); // This call hangs indefinitely printf("Calling workbook_close...\n"); workbook_close(workbook); // Program hangs here printf("Should never reach here\n"); return 0; } ``` ### Expected Behavior The library should either: 1. Validate the `x_scale` and `y_scale` parameters and return an error for invalid values (INFINITY, NAN, negative values) 2. Handle extreme values gracefully without hanging ### Actual Behavior The program hangs indefinitely in `workbook_close()` and must be forcefully terminated. ### Verification ```bash $ timeout 5 ./test_infinite_loop Calling workbook_close... # Process hangs and is killed after 5 seconds ``` ## Root Cause The infinite loop occurs in `src/worksheet.c:3010` in the `_worksheet_position_object_pixels()` function: ```c /* Subtract the underlying cell widths to find the end cell. */ while (width >= _worksheet_size_col(self, col_end, anchor)) { width -= _worksheet_size_col(self, col_end, anchor); col_end++; } ``` When `chart_opts.x_scale` is set to `INFINITY`: 1. The computed `width` becomes `INFINITY` 2. The loop condition `width >= _worksheet_size_col(...)` is always true 3. Subtracting from infinity still leaves infinity: `INFINITY - finite_value = INFINITY` 4. The loop never terminates ### Call Stack ``` #4 _worksheet_size_col at worksheet.c:2815 #5 _worksheet_position_object_pixels at worksheet.c:3011 #6 _worksheet_position_object_emus at worksheet.c:3050 #7 lxw_worksheet_prepare_chart at worksheet.c:3674 #8 _prepare_drawings at workbook.c:1238 #9 workbook_close at workbook.c:2272 ``` ## Additional Information This bug is detected by fuzzing.

gitea-mirror

2026-05-05 12:14:05 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 12:14:09 -06:00

Author

Owner

@jmcnamara commented on GitHub (Oct 13, 2025):

I think this is a user error. If the user enters INFINITY then they are getting what they ask for.

I will look into a fix anyway.

@jmcnamara commented on GitHub (Oct 13, 2025): I think this is a user error. If the user enters INFINITY then they are getting what they ask for. I will look into a fix anyway.

gitea-mirror commented

2026-05-05 12:14:10 -06:00

Author

Owner

@jmcnamara commented on GitHub (Oct 30, 2025):

Fixed on main. Thanks for the report.

@jmcnamara commented on GitHub (Oct 30, 2025): Fixed on main. Thanks for the report.

gitea-mirror commented

2026-05-05 12:14:11 -06:00

Author

Owner

@kruftindustries commented on GitHub (Jan 16, 2026):

This is bad timing but I studied this issue and found excel calculates the percent based on a maximum width and height, not sure if it's different on other machines or if there are settings that can affect the value.

#define LXW_OBJECT_MAX_SIZE_PIXELS 225408.0 /* Excel max: 2348 inches * 96 DPI */
#define LXW_OBJECT_MIN_SCALE 0.01 /

@kruftindustries commented on GitHub (Jan 16, 2026): This is bad timing but I studied this issue and found excel calculates the percent based on a maximum width and height, not sure if it's different on other machines or if there are settings that can affect the value. #define LXW_OBJECT_MAX_SIZE_PIXELS 225408.0 /* Excel max: 2348 inches * 96 DPI */ #define LXW_OBJECT_MIN_SCALE 0.01 /

gitea-mirror commented

2026-05-05 12:14:14 -06:00

Author

Owner

@jmcnamara commented on GitHub (Jan 16, 2026):

I studied this issue and found excel calculates the percent based on a maximum width and height

@kruftindustries That looks like a bug but it is different from this one. Could you open a new bug report for it. Thanks.

@jmcnamara commented on GitHub (Jan 16, 2026): > I studied this issue and found excel calculates the percent based on a maximum width and height @kruftindustries That looks like a bug but it is different from this one. Could you open a new bug report for it. Thanks.

gitea-mirror referenced this issue

2026-05-05 12:16:55 -06:00

[PR #382] [MERGED] Add buffer support #476