github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 14:15:54 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #496] Heap oob read in lxw_styles_write_string_fragment on empty style string #386

New issue
Closed
opened 2026-05-05 12:14:15 -06:00 by gitea-mirror · 1 comment
gitea-mirror commented 2026-05-05 12:14:15 -06:00
Owner
Copy link

Originally created by @hgarrereyn on GitHub (Dec 18, 2025).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/496

Hi, there is a potential bug in lxw_styles_write_string_fragment reachable when invoked with an empty string.

This bug was reproduced on f0647157ba.

Description

What crashes and where:

  • The crash occurs in styles.c at lxw_styles_write_string_fragment when adding an attribute to preserve whitespace:
    if (isspace((unsigned char)string[0]) || isspace((unsigned char)string[strlen(string) - 1]))
  • For an empty string (length 0), the expression string[strlen(string) - 1] reads one byte before the buffer, causing an out-of-bounds read. AddressSanitizer reports a heap/global buffer overflow depending on how the empty string storage is provided.

Suggested fix in the library:

  • Guard the trailing-character access with a length check. For example:
    size_t len = strlen(string);
    if (len > 0 && (isspace((unsigned char)string[0]) || isspace((unsigned char)string[len - 1]))) {
    LXW_PUSH_ATTRIBUTES_STR("xml:space", "preserve");
    }

POC

The following testcase demonstrates the bug:

testcase.cpp

#include <cstdio>
extern "C" {
#include "/fuzz/install/include/xlsxwriter/styles.h"
}
int main(){
    lxw_styles* s = lxw_styles_new();
    if (!s) return 0;
    FILE* fp = fopen("/tmp/out.xml", "wb+");
    if (!fp) return 0;
    s->file = fp;                 // satisfy FILE* precondition
    const char* str = "";        // empty string triggers bug
    // Triggers OOB read at styles.c:98: string[strlen(string)-1] with len==0
    lxw_styles_write_string_fragment(s, str);
    fclose(fp);
    return 0;
}

stdout

stderr

=================================================================
==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559409043bdf at pc 0x559409025bf3 bp 0x7fff45e17010 sp 0x7fff45e17008
READ of size 1 at 0x559409043bdf thread T0
    #0 0x559409025bf2 in lxw_styles_write_string_fragment (/fuzz/test+0x10bbf2) (BuildId: e622a699f6a8197fcee2f648da01711d43627a92)
    #1 0x5594090254b7 in main /fuzz/testcase.cpp:13:5
    #2 0x7fade6150d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7fade6150e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x559408f4a304 in _start (/fuzz/test+0x30304) (BuildId: e622a699f6a8197fcee2f648da01711d43627a92)

0x559409043bdf is located 1 bytes before global variable '.str.2' defined in '/fuzz/testcase.cpp:11' (0x559409043be0) of size 1
  '.str.2' is ascii string ''
0x559409043bdf is located 27 bytes after global variable '.str.1' defined in '/fuzz/testcase.cpp:8' (0x559409043bc0) of size 4
  '.str.1' is ascii string 'wb+'
SUMMARY: AddressSanitizer: global-buffer-overflow (/fuzz/test+0x10bbf2) (BuildId: e622a699f6a8197fcee2f648da01711d43627a92) in lxw_styles_write_string_fragment
Shadow bytes around the buggy address:
  0x559409043900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x559409043980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x559409043a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x559409043a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x559409043b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x559409043b80: 00 00 00 00 00 05 f9 f9 04 f9 f9[f9]01 f9 f9 f9
  0x559409043c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9
  0x559409043c80: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 02 f9 f9
  0x559409043d00: 00 01 f9 f9 02 f9 f9 f9 00 03 f9 f9 04 f9 f9 f9
  0x559409043d80: 05 f9 f9 f9 02 f9 f9 f9 02 f9 f9 f9 07 f9 f9 f9
  0x559409043e00: 00 f9 f9 f9 07 f9 f9 f9 00 04 f9 f9 00 02 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING
Steps to Reproduce

The crash was triaged with the following Dockerfile:

Dockerfile

# Ubuntu 22.04 with some packages pre-installed
FROM hgarrereyn/stitch_repro_base@sha256:3ae94cdb7bf2660f4941dc523fe48cd2555049f6fb7d17577f5efd32a40fdd2c

RUN git clone https://github.com/jmcnamara/libxlsxwriter.git /fuzz/src && \
    cd /fuzz/src && \
    git checkout f0647157ba70d3b9372e5eef05ed489c73107b62 && \
    git submodule update --init --remote --recursive

ENV LD_LIBRARY_PATH=/fuzz/install/lib
ENV ASAN_OPTIONS=hard_rss_limit_mb=1024:detect_leaks=0

RUN echo '#!/bin/bash\nexec clang-17 -fsanitize=address -O0 "$@"' > /usr/local/bin/clang_wrapper && \
    chmod +x /usr/local/bin/clang_wrapper && \
    echo '#!/bin/bash\nexec clang++-17 -fsanitize=address -O0 "$@"' > /usr/local/bin/clang_wrapper++ && \
    chmod +x /usr/local/bin/clang_wrapper++

RUN apt-get update && apt-get install -y --no-install-recommends \
    cmake \
    ninja-build \
    make \
    pkg-config \
    zlib1g-dev \
 && rm -rf /var/lib/apt/lists/*

ENV CC=clang_wrapper \
    CXX=clang_wrapper++

WORKDIR /fuzz/src

RUN cmake -S . -B build -G Ninja \
    -DCMAKE_BUILD_TYPE=Release \
    -DBUILD_SHARED_LIBS=OFF \
    -DBUILD_TESTS=OFF \
    -DBUILD_EXAMPLES=OFF \
    -DCMAKE_INSTALL_PREFIX=/fuzz/install \
 && cmake --build build --config Release \
 && cmake --install build --config Release

Build Command

clang++-17 -fsanitize=address -g -O0 -o /fuzz/test /fuzz/testcase.cpp -I/fuzz/install/include -L/fuzz/install/lib -lxlsxwriter -lz && /fuzz/test

Reproduce

  1. Copy Dockerfile and testcase.cpp into a local folder.
  2. Build the repro image:
docker build . -t repro --platform=linux/amd64
  1. Compile and run the testcase in the image:
docker run \
    -it --rm \
    --platform linux/amd64 \
    --mount type=bind,source="$(pwd)/testcase.cpp",target=/fuzz/testcase.cpp \
    repro \
    bash -c "clang++-17 -fsanitize=address -g -O0 -o /fuzz/test /fuzz/testcase.cpp -I/fuzz/install/include -L/fuzz/install/lib -lxlsxwriter -lz && /fuzz/test"

Additional Info

This testcase was discovered by STITCH, an autonomous fuzzing system. All reports are reviewed manually (by a human) before submission.

Originally created by @hgarrereyn on GitHub (Dec 18, 2025). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/496 Hi, there is a potential bug in `lxw_styles_write_string_fragment` reachable when invoked with an empty string. This bug was reproduced on https://github.com/jmcnamara/libxlsxwriter/commit/f0647157ba70d3b9372e5eef05ed489c73107b62. ### Description What crashes and where: - The crash occurs in styles.c at lxw_styles_write_string_fragment when adding an attribute to preserve whitespace: if (isspace((unsigned char)string[0]) || isspace((unsigned char)string[strlen(string) - 1])) - For an empty string (length 0), the expression string[strlen(string) - 1] reads one byte before the buffer, causing an out-of-bounds read. AddressSanitizer reports a heap/global buffer overflow depending on how the empty string storage is provided. Suggested fix in the library: - Guard the trailing-character access with a length check. For example: size_t len = strlen(string); if (len > 0 && (isspace((unsigned char)string[0]) || isspace((unsigned char)string[len - 1]))) { LXW_PUSH_ATTRIBUTES_STR("xml:space", "preserve"); } ### POC The following testcase demonstrates the bug: **testcase.cpp** ```cpp #include <cstdio> extern "C" { #include "/fuzz/install/include/xlsxwriter/styles.h" } int main(){ lxw_styles* s = lxw_styles_new(); if (!s) return 0; FILE* fp = fopen("/tmp/out.xml", "wb+"); if (!fp) return 0; s->file = fp; // satisfy FILE* precondition const char* str = ""; // empty string triggers bug // Triggers OOB read at styles.c:98: string[strlen(string)-1] with len==0 lxw_styles_write_string_fragment(s, str); fclose(fp); return 0; } ``` **stdout** ```text ``` **stderr** ```text ================================================================= ==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559409043bdf at pc 0x559409025bf3 bp 0x7fff45e17010 sp 0x7fff45e17008 READ of size 1 at 0x559409043bdf thread T0 #0 0x559409025bf2 in lxw_styles_write_string_fragment (/fuzz/test+0x10bbf2) (BuildId: e622a699f6a8197fcee2f648da01711d43627a92) #1 0x5594090254b7 in main /fuzz/testcase.cpp:13:5 #2 0x7fade6150d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #3 0x7fade6150e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #4 0x559408f4a304 in _start (/fuzz/test+0x30304) (BuildId: e622a699f6a8197fcee2f648da01711d43627a92) 0x559409043bdf is located 1 bytes before global variable '.str.2' defined in '/fuzz/testcase.cpp:11' (0x559409043be0) of size 1 '.str.2' is ascii string '' 0x559409043bdf is located 27 bytes after global variable '.str.1' defined in '/fuzz/testcase.cpp:8' (0x559409043bc0) of size 4 '.str.1' is ascii string 'wb+' SUMMARY: AddressSanitizer: global-buffer-overflow (/fuzz/test+0x10bbf2) (BuildId: e622a699f6a8197fcee2f648da01711d43627a92) in lxw_styles_write_string_fragment Shadow bytes around the buggy address: 0x559409043900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x559409043980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x559409043a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x559409043a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x559409043b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x559409043b80: 00 00 00 00 00 05 f9 f9 04 f9 f9[f9]01 f9 f9 f9 0x559409043c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 0x559409043c80: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 02 f9 f9 0x559409043d00: 00 01 f9 f9 02 f9 f9 f9 00 03 f9 f9 04 f9 f9 f9 0x559409043d80: 05 f9 f9 f9 02 f9 f9 f9 02 f9 f9 f9 07 f9 f9 f9 0x559409043e00: 00 f9 f9 f9 07 f9 f9 f9 00 04 f9 f9 00 02 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1==ABORTING ``` <details><summary>Steps to Reproduce</summary> <p> The crash was triaged with the following Dockerfile: **Dockerfile** ```dockerfile # Ubuntu 22.04 with some packages pre-installed FROM hgarrereyn/stitch_repro_base@sha256:3ae94cdb7bf2660f4941dc523fe48cd2555049f6fb7d17577f5efd32a40fdd2c RUN git clone https://github.com/jmcnamara/libxlsxwriter.git /fuzz/src && \ cd /fuzz/src && \ git checkout f0647157ba70d3b9372e5eef05ed489c73107b62 && \ git submodule update --init --remote --recursive ENV LD_LIBRARY_PATH=/fuzz/install/lib ENV ASAN_OPTIONS=hard_rss_limit_mb=1024:detect_leaks=0 RUN echo '#!/bin/bash\nexec clang-17 -fsanitize=address -O0 "$@"' > /usr/local/bin/clang_wrapper && \ chmod +x /usr/local/bin/clang_wrapper && \ echo '#!/bin/bash\nexec clang++-17 -fsanitize=address -O0 "$@"' > /usr/local/bin/clang_wrapper++ && \ chmod +x /usr/local/bin/clang_wrapper++ RUN apt-get update && apt-get install -y --no-install-recommends \ cmake \ ninja-build \ make \ pkg-config \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* ENV CC=clang_wrapper \ CXX=clang_wrapper++ WORKDIR /fuzz/src RUN cmake -S . -B build -G Ninja \ -DCMAKE_BUILD_TYPE=Release \ -DBUILD_SHARED_LIBS=OFF \ -DBUILD_TESTS=OFF \ -DBUILD_EXAMPLES=OFF \ -DCMAKE_INSTALL_PREFIX=/fuzz/install \ && cmake --build build --config Release \ && cmake --install build --config Release ``` **Build Command** ```bash clang++-17 -fsanitize=address -g -O0 -o /fuzz/test /fuzz/testcase.cpp -I/fuzz/install/include -L/fuzz/install/lib -lxlsxwriter -lz && /fuzz/test ``` **Reproduce** 1. Copy `Dockerfile` and `testcase.cpp` into a local folder. 2. Build the repro image: ```bash docker build . -t repro --platform=linux/amd64 ``` 3. Compile and run the testcase in the image: ```bash docker run \ -it --rm \ --platform linux/amd64 \ --mount type=bind,source="$(pwd)/testcase.cpp",target=/fuzz/testcase.cpp \ repro \ bash -c "clang++-17 -fsanitize=address -g -O0 -o /fuzz/test /fuzz/testcase.cpp -I/fuzz/install/include -L/fuzz/install/lib -lxlsxwriter -lz && /fuzz/test" ``` </p> </details> --- ### Additional Info This testcase was discovered by `STITCH`, an autonomous fuzzing system. All reports are reviewed manually (by a human) before submission.
gitea-mirror commented 2026-05-05 12:14:21 -06:00
Author
Owner
Copy link

@jmcnamara commented on GitHub (Dec 18, 2025):

A couple of things:

  • lxw_styles_write_string_fragment isn't an API that a user would call. It is an internal function and only "public" because of C's limited function privacy rules.
  • In the function where lxw_styles_write_string_fragment is called there is a check for empty strings before the function is called.

Closing.

<!-- gh-comment-id:3669271134 --> @jmcnamara commented on GitHub (Dec 18, 2025): A couple of things: - `lxw_styles_write_string_fragment` isn't an API that a user would call. It is an internal function and only "public" because of C's limited function privacy rules. - In the function where `lxw_styles_write_string_fragment` is called there is a check for empty strings before the function is called. Closing.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#386
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?