Created attachment 1399239 [details] POC file that crashing FreeXL in freexl.c:3912 read_mini_biff_next_record Description of problem: The freexl.c:3912 read_mini_biff_next_record function in FreeXL 1.0.4 may result a heap-buffer-overflow via a crafted xls file. Version-Release number of selected component (if applicable): 1.0.4 How reproducible: /examples/test_xl $POC Steps to Reproduce: /examples/test_xl $POC Actual results: Segmentation fault Expected results: Additional info: The output of test_xl with address sanitizer enabled ./test_xl /root/fuzz/freexl/freexl-freexl-3912-overflow ================================================================= ==51019==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62000000fe80 at pc 0x7fd0aad4b935 bp 0x7ffcc8ddd3f0 sp 0x7ffcc8ddcb98 READ of size 65535 at 0x62000000fe80 thread T0 #0 0x7fd0aad4b934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934) #1 0x41a15a in read_mini_biff_next_record /root/asan/freexl-1.0.4/src/freexl.c:3912 #2 0x41b563 in common_open /root/asan/freexl-1.0.4/src/freexl.c:4119 #3 0x41be70 in freexl_open /root/asan/freexl-1.0.4/src/freexl.c:4231 #4 0x401709 in main /root/asan/freexl-1.0.4/examples/test_xl.c:84 #5 0x7fd0aa60c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x4013a8 in _start (/root/asan/freexl-1.0.4/examples/test_xl+0x4013a8) 0x62000000fe80 is located 0 bytes to the right of 3584-byte region [0x62000000f080,0x62000000fe80) allocated by thread T0 here: #0 0x7fd0aad57602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x40bffb in read_mini_stream /root/asan/freexl-1.0.4/src/freexl.c:1677 #2 0x41b4a5 in common_open /root/asan/freexl-1.0.4/src/freexl.c:4113 #3 0x41be70 in freexl_open /root/asan/freexl-1.0.4/src/freexl.c:4231 #4 0x401709 in main /root/asan/freexl-1.0.4/examples/test_xl.c:84 #5 0x7fd0aa60c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c407fff9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c407fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c407fff9fd0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c407fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==51019==ABORTING Weiran Labs, Zhaoliang leon.zhao.7
freexl-1.0.5-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eb691e7d7
freexl-1.0.5-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-9111777f91
freexl-1.0.5-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2ffe688829
freexl-1.0.5-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5573046c3b
freexl-1.0.5-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5573046c3b
freexl-1.0.5-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2ffe688829
freexl-1.0.5-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-9111777f91
freexl-1.0.5-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2eb691e7d7
Hi MITRE has assigned CVE-2018-7439 for this issue. Regards, Salvatore
Leon, can you consider doing an oss-security post about your findings mentioning the assigned CVEs?
freexl-1.0.5-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
freexl-1.0.5-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
freexl-1.0.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
freexl-1.0.5-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
freexl-1.0.5-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-62268d69c9
freexl-1.0.5-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-62268d69c9
freexl-1.0.5-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.