github-starred/libxlsxwriter
2
0
Fork 0
mirror of https://github.com/jmcnamara/libxlsxwriter.git synced 2026-05-15 06:06:09 -06:00
Code Issues 16 Projects Packages Wiki Activity Actions

[GH-ISSUE #512] worksheet_data_validation_cell: heap overflow and infinite loop when value_list contains 256+ items #398

New issue
Open
opened 2026-05-05 12:14:43 -06:00 by gitea-mirror · 0 comments
gitea-mirror commented 2026-05-05 12:14:43 -06:00
Owner
Copy link

Originally created by @billdenney on GitHub (Apr 6, 2026).
Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/512

Summary

Passing a NULL-terminated value_list array with 256 or more entries to worksheet_data_validation_cell() (or worksheet_data_validation_range()) causes the process to hang indefinitely and ultimately overflow a heap buffer.

Reproduction

#include "xlsxwriter.h"
#include <string.h>

int main(void) {
    /* Build a NULL-terminated list of 256 single-character strings. */
    const char *list[257];
    char items[256][2];
    int i;

    for (i = 0; i < 256; i++) {
        items[i][0] = 'a' + (i % 26);
        items[i][1] = '\0';
        list[i] = items[i];
    }
    list[256] = NULL;

    lxw_workbook  *workbook  = workbook_new("validation_list_bug.xlsx");
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);

    lxw_data_validation dv;
    memset(&dv, 0, sizeof(dv));
    dv.validate   = LXW_VALIDATION_TYPE_LIST;
    dv.value_list = list;

    /* This call never returns. */
    worksheet_data_validation_cell(worksheet, CELL("A1"), &dv);

    return workbook_close(workbook);
}

Compile with AddressSanitizer (-fsanitize=address) to get an immediate crash instead of a hang.

Expected behaviour

worksheet_data_validation_cell() should return LXW_ERROR_255_STRING_LENGTH_EXCEEDED. The combined CSV string for 256 single-character items is 511 characters (256 items + 255 commas), which exceeds Excel's 255-character limit for validation list strings.

Actual behaviour

The process crashes. With AddressSanitizer it crashes immediately with a heap-buffer-overflow report.

Root cause

The internal helper _validation_list_length() uses a uint8_t loop counter and exits early once the running total reaches LXW_VALIDATION_MAX_STRING_LENGTH (255). For 256 single-character items it exits after counting 128 of them (running total 256 ≥ 255 triggers the guard) and returns 255 after the length-- adjustment. The caller's check length > 255 evaluates to false, so the list is accepted.

_validation_list_to_csv() is then called. It also uses a uint8_t loop counter. After processing index 255, i++ wraps back to 0. list[0] is non-NULL, so the loop restarts from the beginning and runs forever, continuously calling strcat into a 1023-byte heap buffer until the buffer overflows and the heap is corrupted.

Suggested resolution

Two changes in src/worksheet.c.

In _validation_list_length(): change the counter type to size_t and remove the early-exit length guard so the function always returns the actual total length of the list. The caller's existing length > LXW_VALIDATION_MAX_STRING_LENGTH check then correctly rejects over-length lists before _validation_list_to_csv() is ever reached.

--- a/src/worksheet.c
+++ b/src/worksheet.c
@@ _validation_list_length()
-    uint8_t i = 0;
+    size_t i = 0;
     size_t length = 0;

     if (!list || !list[0])
         return 0;

-    while (list[i] && length < LXW_VALIDATION_MAX_STRING_LENGTH) {
+    while (list[i]) {
         /* Include commas in the length. */
         length += 1 + lxw_utf8_strlen(list[i]);
         i++;
     }

@@ _validation_list_to_csv()
-    uint8_t i = 0;
+    size_t i = 0;
Originally created by @billdenney on GitHub (Apr 6, 2026). Original GitHub issue: https://github.com/jmcnamara/libxlsxwriter/issues/512 ### Summary Passing a `NULL`-terminated `value_list` array with 256 or more entries to `worksheet_data_validation_cell()` (or `worksheet_data_validation_range()`) causes the process to hang indefinitely and ultimately overflow a heap buffer. ### Reproduction ```c #include "xlsxwriter.h" #include <string.h> int main(void) { /* Build a NULL-terminated list of 256 single-character strings. */ const char *list[257]; char items[256][2]; int i; for (i = 0; i < 256; i++) { items[i][0] = 'a' + (i % 26); items[i][1] = '\0'; list[i] = items[i]; } list[256] = NULL; lxw_workbook *workbook = workbook_new("validation_list_bug.xlsx"); lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL); lxw_data_validation dv; memset(&dv, 0, sizeof(dv)); dv.validate = LXW_VALIDATION_TYPE_LIST; dv.value_list = list; /* This call never returns. */ worksheet_data_validation_cell(worksheet, CELL("A1"), &dv); return workbook_close(workbook); } ``` Compile with AddressSanitizer (`-fsanitize=address`) to get an immediate crash instead of a hang. ### Expected behaviour `worksheet_data_validation_cell()` should return `LXW_ERROR_255_STRING_LENGTH_EXCEEDED`. The combined CSV string for 256 single-character items is 511 characters (256 items + 255 commas), which exceeds Excel's 255-character limit for validation list strings. ### Actual behaviour The process crashes. With AddressSanitizer it crashes immediately with a heap-buffer-overflow report. ### Root cause The internal helper `_validation_list_length()` uses a `uint8_t` loop counter and exits early once the running total reaches `LXW_VALIDATION_MAX_STRING_LENGTH` (255). For 256 single-character items it exits after counting 128 of them (running total 256 ≥ 255 triggers the guard) and returns 255 after the `length--` adjustment. The caller's check `length > 255` evaluates to false, so the list is accepted. `_validation_list_to_csv()` is then called. It also uses a `uint8_t` loop counter. After processing index 255, `i++` wraps back to 0. `list[0]` is non-`NULL`, so the loop restarts from the beginning and runs forever, continuously calling `strcat` into a 1023-byte heap buffer until the buffer overflows and the heap is corrupted. ### Suggested resolution Two changes in `src/worksheet.c`. In `_validation_list_length()`: change the counter type to `size_t` and remove the early-exit length guard so the function always returns the actual total length of the list. The caller's existing `length > LXW_VALIDATION_MAX_STRING_LENGTH` check then correctly rejects over-length lists before `_validation_list_to_csv()` is ever reached. ```diff --- a/src/worksheet.c +++ b/src/worksheet.c @@ _validation_list_length() - uint8_t i = 0; + size_t i = 0; size_t length = 0; if (!list || !list[0]) return 0; - while (list[i] && length < LXW_VALIDATION_MAX_STRING_LENGTH) { + while (list[i]) { /* Include commas in the length. */ length += 1 + lxw_utf8_strlen(list[i]); i++; } @@ _validation_list_to_csv() - uint8_t i = 0; + size_t i = 0; ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
coverity
cmake-improvements
cmake_pkgconfig_fix
ctest
button
tables
autofilter
dtoa
iwyu
openssl
gentoo
gh310
condition_format
rich_string_html
header_footer_images
custom_data_labels
object_position
gh265
constant_mode_comments2
constant_mode_comments
vml
md5
vcpkg
hyperlinks
api_refactor
win_fopen
gh203
rich_strings
chartsheet
in_mem_image
gh192
revert-162-master
data_validation
meson
charts
scan_build
utf8_strlen
tmpfileplus
custom_properties
insert_image
default_row
control_chars
worksheet_protect
dev
red_black
panes
mkstemp
defined_names
optimise
wip
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
RELEASE_1.1.7
RELEASE_1.1.6
RELEASE_1.1.5
RELEASE_1.1.4
RELEASE_1.1.3
RELEASE_1.1.2
RELEASE_1.1.1
RELEASE_1.1.0
RELEASE_1.0.9
RELEASE_1.0.8
RELEASE_1.0.7
RELEASE_1.0.6
RELEASE_1.0.5
RELEASE_1.0.4
RELEASE_1.0.3
RELEASE_1.0.2
RELEASE_1.0.1
RELEASE_1.0.0
RELEASE_0.9.9
RELEASE_0.9.8
RELEASE_0.9.7
RELEASE_0.9.6
RELEASE_0.9.5
RELEASE_0.9.4
RELEASE_0.9.3
RELEASE_0.9.2
RELEASE_0.9.1
RELEASE_0.9.0
RELEASE_0.8.9
RELEASE_0.8.8
RELEASE_0.8.7
RELEASE_0.8.6
RELEASE_0.8.5
RELEASE_0.8.4
RELEASE_0.8.3
RELEASE_0.8.2
RELEASE_0.8.1
RELEASE_0.8.0
RELEASE_0.7.9
RELEASE_0.7.8
RELEASE_0.7.7
RELEASE_0.7.6
RELEASE_0.7.5
RELEASE_0.7.4
RELEASE_0.7.3
RELEASE_0.7.2
RELEASE_0.7.1
RELEASE_0.7.0
RELEASE_0.6.9
RELEASE_0.6.8
RELEASE_0.6.7
RELEASE_0.6.6
RELEASE_0.6.5
RELEASE_0.6.4
RELEASE_0.6.3
RELEASE_0.6.2
RELEASE_0.6.1
RELEASE_0.6.0
RELEASE_0.5.9
RELEASE_0.5.8
RELEASE_0.5.7
RELEASE_0.5.6
RELEASE_0.5.5
RELEASE_0.5.4
RELEASE_0.5.3
RELEASE_0.5.2
RELEASE_0.5.1
RELEASE_0.5.0
RELEASE_0.4.9
RELEASE_0.4.8
RELEASE_0.4.7
RELEASE_0.4.6
RELEASE_0.4.5
RELEASE_0.4.4
RELEASE_0.4.3
RELEASE_0.4.2
RELEASE_0.4.1
RELEASE_0.4.0
RELEASE_0.3.9
RELEASE_0.3.8
RELEASE_0.3.7
RELEASE_0.3.6
RELEASE_0.3.5
RELEASE_0.3.4
RELEASE_0.3.3
RELEASE_0.3.2
RELEASE_0.3.1
RELEASE_0.3.0
RELEASE_0.2.9
RELEASE_0.2.8
RELEASE_0.2.7
RELEASE_0.2.6
RELEASE_0.2.5
RELEASE_0.2.4
RELEASE_0.2.3
RELEASE_0.2.2
RELEASE_0.2.1
RELEASE_0.2.0
RELEASE_0.1.9
RELEASE_0.1.8
RELEASE_0.1.7
RELEASE_0.1.6
RELEASE_0.1.5
RELEASE_0.1.4
RELEASE_0.1.3
RELEASE_0.1.2
RELEASE_0.1.1
RELEASE_0.1.0
RELEASE_0.0.9
RELEASE_0.0.8
RELEASE_0.0.7
RELEASE_0.0.6
RELEASE_0.0.5
RELEASE_0.0.4
RELEASE_0.0.3
RELEASE_0.0.2
RELEASE_0.0.1
Labels
Clear labels   
awaiting user feedback

   
bug

   
cmake

   
cmake

   
docs

   
feature request

   
in progress

   
long term

   
medium term

   
medium term

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
ready to close

   
short term

   
under investigation

   
wontfix
No labels
awaiting user feedback
bug
cmake
cmake
docs
feature request
in progress
long term
medium term
medium term
pull-request
question
question
ready to close
short term
under investigation
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/libxlsxwriter#398
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?