libxlsxwriter icon indicating copy to clipboard operation
libxlsxwriter copied to clipboard

Published 20 hours ago verified publisher icon jmcnamara

Bug: workbook_validate_sheet_name buffer-overflow

Open wxie7 opened this issue 9 months ago • 4 comments

hello, maybe there exist a bug in workbook_validate_sheet_name. When sheetname is an empty string (""), the workbook_validate_sheet_name function does not check if the string length is 0, leading to a buffer overflow.The following is the relevant code, the crash occurs at workbook.c:workbook_validate_sheet_name.

#include "xlsxwriter.h"

int main() {

    lxw_workbook  *workbook  = workbook_new("demo.xlsx");
    lxw_worksheet *worksheet = workbook_add_worksheet(workbook, NULL);
    const char* name = "";
    lxw_error le = workbook_validate_sheet_name(workbook, name);
    if (le == LXW_NO_ERROR) {
      lxw_worksheet *worksheet = workbook_add_worksheet(workbook, name);
    }

    return 0;
}

wxie7 avatar May 08 '24 13:05 wxie7

Thanks for the report. That is omission/bug. I'll add a fix.

jmcnamara avatar May 08 '24 16:05 jmcnamara

I've pushed a fix for this to main. There is now a new error code called LXW_ERROR_SHEETNAME_IS_BLANK for this condition.

jmcnamara avatar May 08 '24 19:05 jmcnamara

Should verify in advance that name is NULL?

wxie7 avatar May 09 '24 02:05 wxie7

Should verify in advance that name is NULL?

My initial thought was that the end user should check for NULL and that workbook_validate_sheet_name() should validate the name and not the string. However, most libxlsxwriter functions check for NULL so I've added a LXW_ERROR_NULL_PARAMETER_IGNORED error as well.

I've force pushed that change to main.

jmcnamara avatar May 09 '24 07:05 jmcnamara