Giters

brechtsanders / xlsxio

XLSX I/O - C library for reading and writing .xlsx files

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

A SEGV DEADLYSIGNALflow leading to crash in main_sheet_get_relid_expat_callback_element_start lib/xlsxio_read.c:813

Asteriska001 opened this issue · comments

commented

Description

A SEGV DEADLYSIGNALflow leading to crash.
The issue is being triggered in main_sheet_get_relid_expat_callback_element_start lib/xlsxio_read.c:813

Environment
Ubuntu 18.04, 64bit

Reproduce

Command
git clone the Lastest Version firstly.
make && make install
./xlsxio_xlsx2csv poc

asan

AddressSanitizer:DEADLYSIGNAL
=================================================================
==17499==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff767a049 bp 0x7fffffffd500 sp 0x7fffffffcc80 T0)
==17499==The signal is caused by a READ memory access.
==17499==Hint: address points to the zero page.
#0 0x7ffff767a049 in __interceptor_strcasecmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:528
#1 0x55555555a196 in main_sheet_get_relid_expat_callback_element_start lib/xlsxio_read.c:813
#2 0x7ffff73b96b8 (/lib/x86_64-linux-gnu/libexpat.so.1+0xb6b8)
#3 0x7ffff73ba6af (/lib/x86_64-linux-gnu/libexpat.so.1+0xc6af)
#4 0x7ffff73bcdbf in XML_ParseBuffer (/lib/x86_64-linux-gnu/libexpat.so.1+0xedbf)
#5 0x555555558985 in expat_process_zip_file lib/xlsxio_read.c:182
#6 0x55555555a53d in main_sheet_get_sheetfile_callback lib/xlsxio_read.c:861
#7 0x555555559d69 in iterate_files_by_contenttype_expat_callback_element_start lib/xlsxio_read.c:672
#8 0x7ffff73b947c (/lib/x86_64-linux-gnu/libexpat.so.1+0xb47c)
#9 0x7ffff73ba6af (/lib/x86_64-linux-gnu/libexpat.so.1+0xc6af)
#10 0x7ffff73bcdbf in XML_ParseBuffer (/lib/x86_64-linux-gnu/libexpat.so.1+0xedbf)
#11 0x555555558985 in expat_process_zip_file lib/xlsxio_read.c:182
#12 0x55555555b74b in iterate_files_by_contenttype lib/xlsxio_read.c:733
#13 0x55555555bf37 in xlsxioread_process lib/xlsxio_read.c:1307
#14 0x55555555823c in xlsx_list_sheets_callback src/xlsxio_xlsx2csv.c:97
#15 0x55555555a105 in main_sheet_list_expat_callback_element_start lib/xlsxio_read.c:755
#16 0x7ffff73b947c (/lib/x86_64-linux-gnu/libexpat.so.1+0xb47c)
#17 0x7ffff73ba6af (/lib/x86_64-linux-gnu/libexpat.so.1+0xc6af)
#18 0x7ffff73bcdbf in XML_ParseBuffer (/lib/x86_64-linux-gnu/libexpat.so.1+0xedbf)
#19 0x555555558985 in expat_process_zip_file lib/xlsxio_read.c:182
#20 0x5555555589f7 in xlsxioread_list_sheets_callback lib/xlsxio_read.c:774
#21 0x555555559d69 in iterate_files_by_contenttype_expat_callback_element_start lib/xlsxio_read.c:672
#22 0x7ffff73b947c (/lib/x86_64-linux-gnu/libexpat.so.1+0xb47c)
#23 0x7ffff73ba6af (/lib/x86_64-linux-gnu/libexpat.so.1+0xc6af)
#24 0x7ffff73bcdbf in XML_ParseBuffer (/lib/x86_64-linux-gnu/libexpat.so.1+0xedbf)
#25 0x555555558985 in expat_process_zip_file lib/xlsxio_read.c:182
#26 0x55555555b74b in iterate_files_by_contenttype lib/xlsxio_read.c:733
#27 0x55555555b90a in xlsxioread_list_sheets lib/xlsxio_read.c:788
#28 0x555555557c25 in main src/xlsxio_xlsx2csv.c:172
#29 0x7ffff71e30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#30 0x555555557d7d in _start (/AFLplusplus/my_test/xlsxio/tanuki/asan_bin/xlsxio_xlsx2csv+0x3d7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:528 in __interceptor_strcasecmp
==17499==ABORTING

poc

000000.zip

commented

If the sheet name is NULL on that line it would indeed crash.
I just added some checks to protect from that kind of behavior.
Can you try again?

commented

Fixed.Thank you.

commented

Released version 0.2.32 which includes this fix.