github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 06:06:09 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #491] Stack Buffer Overflow in lxw_datetime_to_excel_datetime() with Invalid Month Values #384

New issue
Closed
opened 2026-05-05 12:14:05 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 12:14:05 -06:00
Owner
Copy link

Originally created by @LkkkLxy on GitHub (Oct 11, 2025).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/491

Originally assigned to: @jmcnamara on GitHub.

Description

A stack buffer overflow vulnerability exists in libxlsxwriter's datetime conversion function. When lxw_datetime_to_excel_datetime() is called with a month value greater than 12, the function accesses beyond the bounds of the mdays array, causing a stack buffer overflow.

Steps to Reproduce

Environment

  • OS: Linux (tested on Ubuntu with Docker)
  • libxlsxwriter version: Current git master
  • Compiler: clang with AddressSanitizer

Compilation Command

clang test_datetime_crash.c -o test_datetime_crash \
    -fsanitize=address \
    -I/path/to/libxlsxwriter/include \
    /path/to/libxlsxwriter.a \
    -lz -lm

Minimal Test Case

#include <xlsxwriter.h>
#include <stdio.h>

int main() {
    lxw_datetime datetime = {
        .year = 2024,
        .month = 100,  // Invalid: must be 1-12
        .day = 1,
        .hour = 0,
        .min = 0,
        .sec = 0.0
    };
    
    printf("Testing datetime with month = %d\n", datetime.month);
    
    // This triggers stack buffer overflow
    double result = lxw_datetime_to_excel_datetime(&datetime);
    
    printf("Result: %f\n", result);
    return 0;
}

Expected Behavior

The library should:

  1. Validate that month is in the range 1-12
  2. Return an error or default value for invalid input
  3. Not crash or access memory outside of allocated buffers

Actual Behavior

The program crashes with a stack buffer overflow:

Testing datetime with month = 100
=================================================================
==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff9ff3000d0
READ of size 16 at 0x7ff9ff3000d0 thread T0
    #0 0x556a4308c5ad in lxw_datetime_to_excel_date_with_epoch /src/libxlsxwriter/src/utility.c:411:17

Address 0x7ff9ff3000d0 is located in stack of thread T0 at offset 80 in frame
    #0 0x556a4308bd2f in lxw_datetime_to_excel_date_with_epoch /src/libxlsxwriter/src/utility.c:342

  This frame has 1 object(s):
    [32, 84) 'mdays' (line 355) <== Memory access at offset 80 partially overflows this variable

SUMMARY: AddressSanitizer: stack-buffer-overflow /src/libxlsxwriter/src/utility.c:411:17 in lxw_datetime_to_excel_date_with_epoch

Root Cause

In src/utility.c function lxw_datetime_to_excel_date_with_epoch(), line 411:

int mdays[] = { 0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
// mdays has only 13 elements (indices 0-12)

// ...

/* Add days for previous months. */
for (i = 0; i < month; i++) {
    days += mdays[i];  // No bounds check on month value
}

The function reads datetime->month from user input but does not validate it before using it as a loop bound to access the mdays array. When month > 12, the loop accesses beyond the array bounds.

Call Stack

#0  lxw_datetime_to_excel_date_with_epoch() at utility.c:411:17
#1  lxw_datetime_to_excel_datetime()
#2  User code

Proposed Fix

Add input validation at the start of lxw_datetime_to_excel_date_with_epoch():

double lxw_datetime_to_excel_date_with_epoch(lxw_datetime *datetime,
                                               uint8_t use_1904_epoch)
{
    int month = datetime->month;
    int day = datetime->day;
    
    // Validate datetime components
    if (month < 1 || month > 12) {
        LXW_WARN("lxw_datetime_to_excel_date: invalid month %d (must be 1-12)", month);
        return 0.0;  // or return error code
    }
    
    if (day < 1 || day > 31) {
        LXW_WARN("lxw_datetime_to_excel_date: invalid day %d (must be 1-31)", day);
        return 0.0;
    }
    
    // Year validation
    if (datetime->year < 1900 || datetime->year > 9999) {
        LXW_WARN("lxw_datetime_to_excel_date: invalid year %d", datetime->year);
        return 0.0;
    }
    
    // Continue with existing implementation...
}

Additional Information

This bug is detected by fuzzing.

Originally created by @LkkkLxy on GitHub (Oct 11, 2025). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/491 Originally assigned to: @jmcnamara on GitHub. ## Description A stack buffer overflow vulnerability exists in libxlsxwriter's datetime conversion function. When `lxw_datetime_to_excel_datetime()` is called with a `month` value greater than 12, the function accesses beyond the bounds of the `mdays` array, causing a stack buffer overflow. ## Steps to Reproduce ### Environment - **OS**: Linux (tested on Ubuntu with Docker) - **libxlsxwriter version**: Current git master - **Compiler**: clang with AddressSanitizer ### Compilation Command ```bash clang test_datetime_crash.c -o test_datetime_crash \ -fsanitize=address \ -I/path/to/libxlsxwriter/include \ /path/to/libxlsxwriter.a \ -lz -lm ``` ### Minimal Test Case ```c #include <xlsxwriter.h> #include <stdio.h> int main() { lxw_datetime datetime = { .year = 2024, .month = 100, // Invalid: must be 1-12 .day = 1, .hour = 0, .min = 0, .sec = 0.0 }; printf("Testing datetime with month = %d\n", datetime.month); // This triggers stack buffer overflow double result = lxw_datetime_to_excel_datetime(&datetime); printf("Result: %f\n", result); return 0; } ``` ### Expected Behavior The library should: 1. Validate that `month` is in the range 1-12 2. Return an error or default value for invalid input 3. Not crash or access memory outside of allocated buffers ### Actual Behavior The program crashes with a stack buffer overflow: ``` Testing datetime with month = 100 ================================================================= ==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff9ff3000d0 READ of size 16 at 0x7ff9ff3000d0 thread T0 #0 0x556a4308c5ad in lxw_datetime_to_excel_date_with_epoch /src/libxlsxwriter/src/utility.c:411:17 Address 0x7ff9ff3000d0 is located in stack of thread T0 at offset 80 in frame #0 0x556a4308bd2f in lxw_datetime_to_excel_date_with_epoch /src/libxlsxwriter/src/utility.c:342 This frame has 1 object(s): [32, 84) 'mdays' (line 355) <== Memory access at offset 80 partially overflows this variable SUMMARY: AddressSanitizer: stack-buffer-overflow /src/libxlsxwriter/src/utility.c:411:17 in lxw_datetime_to_excel_date_with_epoch ``` ## Root Cause In `src/utility.c` function `lxw_datetime_to_excel_date_with_epoch()`, line 411: ```c int mdays[] = { 0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; // mdays has only 13 elements (indices 0-12) // ... /* Add days for previous months. */ for (i = 0; i < month; i++) { days += mdays[i]; // No bounds check on month value } ``` The function reads `datetime->month` from user input but does not validate it before using it as a loop bound to access the `mdays` array. When `month > 12`, the loop accesses beyond the array bounds. ### Call Stack ``` #0 lxw_datetime_to_excel_date_with_epoch() at utility.c:411:17 #1 lxw_datetime_to_excel_datetime() #2 User code ``` ## Proposed Fix Add input validation at the start of `lxw_datetime_to_excel_date_with_epoch()`: ```c double lxw_datetime_to_excel_date_with_epoch(lxw_datetime *datetime, uint8_t use_1904_epoch) { int month = datetime->month; int day = datetime->day; // Validate datetime components if (month < 1 || month > 12) { LXW_WARN("lxw_datetime_to_excel_date: invalid month %d (must be 1-12)", month); return 0.0; // or return error code } if (day < 1 || day > 31) { LXW_WARN("lxw_datetime_to_excel_date: invalid day %d (must be 1-31)", day); return 0.0; } // Year validation if (datetime->year < 1900 || datetime->year > 9999) { LXW_WARN("lxw_datetime_to_excel_date: invalid year %d", datetime->year); return 0.0; } // Continue with existing implementation... } ``` ## Additional Information This bug is detected by fuzzing.
gitea-mirror 2026-05-05 12:14:05 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 12:14:10 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Oct 13, 2025):

Thanks. I'll look into that.

<!-- gh-comment-id:3396399983 --> @jmcnamara commented on GitHub (Oct 13, 2025): Thanks. I'll look into that.
gitea-mirror commented 2026-05-05 12:14:11 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Oct 31, 2025):

Fixed on main. Thanks.

<!-- gh-comment-id:3471896332 --> @jmcnamara commented on GitHub (Oct 31, 2025): Fixed on main. Thanks.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#384
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?