SIGSEGV in xls2csv.c:199 (strcmp((char *)cell->str, "bool"))
setsal opened this issue · comments
Description
With specific xls file input, it will cause segmentation fault when processing xls cell in strcmp().
Backtrace to the xls2csv source code, I think this bug may be due to the null cell->str pointer dereference or the xls format checking bypass in xls_open_file()
Test Version
Test Environment
libxls/.libs on dev
➜ uname -a
Linux typelansq 5.6.0-kali1-amd64 #1 SMP Debian 5.6.7-1kali1 (2020-05-12) x86_64 GNU/Linux
libxls/.libs on dev
➜ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/9/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 9.3.0-13' --with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-9 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-9-F9gimE/gcc-9-9.3.0/debian/tmp-nvptx/usr,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-mutex
Thread model: posix
gcc version 9.3.0 (Debian 9.3.0-13)
libxls/.libs on dev
➜ file poc_0*
poc_01.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: cleit, Last Saved By: leitiennec, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Oct 14 23:33:28 1996, Last Saved Time/Date: Sat Feb 21 15:49:43 2009, Security: 0
poc_02.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: cleit, Last Saved By: leitiennec, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Oct 14 23:33:28 1996, Last Saved Time/Date: Sat Feb 21 15:49:43 2009, Security: 0
GDB and Backtrace
libxls/.libs on dev took 4m 40s
➜ LD_LIBRARY_PATH=. gdb ./xls2csv
gdb-peda$ run ./poc_01.xls
.
.
Legend: code, data, rodata, heap, value
Stopped reason: SIGSEGV
0x0000555555555399 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffdbe8) at src/xls2csv.c:199
199 if (!strcmp((char *)cell->str, "bool")) // its boolean, and test cell->d
gdb-peda$ bt
#0 0x0000555555555399 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffdbe8) at src/xls2csv.c:199
#1 0x00007ffff7df1cca in __libc_start_main (main=0x555555555160 <main>, argc=0x2, argv=0x7fffffffdbe8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdbd8) at ../csu/libc-start.c:308
#2 0x000055555555561a in _start ()
gdb-peda$ l
194 // formula
195 if (cell->l == 0) // its a number
196 {
197 OutputNumber(cell->d);
198 } else {
199 if (!strcmp((char *)cell->str, "bool")) // its boolean, and test cell->d
200 {
201 OutputString((int) cell->d ? "true" : "false");
202 } else if (!strcmp((char *)cell->str, "error")) // formula is in error
203 {
gdb-peda$ p *cell
$2 = {
id = 0x6,
row = 0x17,
col = 0x2,
xf = 0xf,
str = 0x0,
d = 0,
l = 0xffff,
width = 0x924,
colspan = 0x0,
rowspan = 0x0,
isHidden = 0x0
}
POC file
If you need any further information, please feel free to contact me.
Thanks,
setsal
Thanks for the report! Should be fixed in dbed5f2
Fixed in libxls 1.6.2