_store_array_formula heap-buffer-overflow #446
Comments
|
Thanks. I'll take a look. BTW, are you finding these via fuzz testing or some other method? |
Yes, I wrote a new fuzz driver according to #431 |
|
Could you post some instructions on how to compile examples like above with AddressSanitizer. |
|
|
Fixed on main. Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
maybe there exist a bug in
worksheet_write_dynamic_formulaandworksheet_write_dynamic_array_formula.Below is an example
Below is asan information:
================================================================= ==2675438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000004af at pc 0x562869d4a523 bp 0x7fff05004f30 sp 0x7fff05004f28 READ of size 1 at 0x6020000004af thread T0 #0 0x562869d4a522 in _store_array_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8075:9 #1 0x562869d4adb5 in worksheet_write_dynamic_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8146:12 #2 0x562869ce06a8 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug8.cpp:11:21 #3 0x7fca4046ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #4 0x7fca4046ee3f in __libc_start_main csu/../csu/libc-start.c:392:3 #5 0x562869c20454 in _start (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug8+0x58454) (BuildId: e40ae509915daf6c86a9e328bddaa36cd11cb982) 0x6020000004af is located 1 bytes to the left of 1-byte region [0x6020000004b0,0x6020000004b1) allocated by thread T0 here: #0 0x562869ca329e in malloc (/home/ubuntu/workspace/newest-libxlsxwriter/build/bug8+0xdb29e) (BuildId: e40ae509915daf6c86a9e328bddaa36cd11cb982) #1 0x562869e45ed8 in lxw_strdup /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:471:12 #2 0x562869e4600f in lxw_strdup_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/utility.c:489:16 #3 0x562869d4a4b5 in _store_array_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8072:24 #4 0x562869d4adb5 in worksheet_write_dynamic_formula /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8146:12 #5 0x562869ce06a8 in main /home/ubuntu/workspace/newest-libxlsxwriter/build/../bugs/bug8.cpp:11:21 #6 0x7fca4046ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/workspace/newest-libxlsxwriter/src/worksheet.c:8075:9 in _store_array_formula Shadow bytes around the buggy address: 0x0c047fff8040: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 07 fa 0x0c047fff8050: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8060: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8070: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8080: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 fa =>0x0c047fff8090: fa fa 00 fa fa[fa]01 fa fa fa fa fa fa fa fa fa 0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2675438==ABORTINGThe text was updated successfully, but these errors were encountered: