Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excel extension crashes with a crafted TEXT expression #1

Open
2 tasks done
fuboat opened this issue May 11, 2024 · 0 comments
Open
2 tasks done

Excel extension crashes with a crafted TEXT expression #1

fuboat opened this issue May 11, 2024 · 0 comments

Comments

@fuboat
Copy link

fuboat commented May 11, 2024
edited
Loading

What happens?

DuckDB v0.10.2 (duckdb_cli-linux-amd64) crashes with a crafted TEXT expression. It can also be reproduced in the nightly build.

To Reproduce

PoC:

SELECT TEXT(1234567.897, '$#,##09999999999999999999999999999999999999999999999999999999999999999999999');

Backtrace:

Thread 1 "duckdb" received signal SIGSEGV, Segmentation fault.
0x00007ffff7cf999d in ?? ()
(gdb) bt
#0  0x00007ffff7cf999d in ?? ()
duckdb/duckdb#1  0x0000000000000008 in ?? ()
duckdb/duckdb#2  0xdecf4d5ff2c4cc00 in ?? ()
duckdb/duckdb#3  0x00007fffffffbb78 in ?? ()
duckdb/duckdb#4  0x0000000000000063 in ?? ()
duckdb/duckdb#5  0x0000000002bd0250 in ?? ()
duckdb/duckdb#6  0x0000000001b869a3 in duckdb_excel::ImpSvNumberformatScan::InsertSymbol(unsigned short&, duckdb_excel::NfSymbolType, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ()
duckdb/duckdb#7  0x0000000001b9e5f6 in duckdb_excel::ImpSvNumberformatScan::FinalScan(std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >&, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >&) ()
duckdb/duckdb#8  0x0000000001b9fe6c in duckdb_excel::SvNumberformat::InitFormat(std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >&, duckdb_excel::LocaleData*, duckdb_excel::ImpSvNumberInputScan*, unsigned short&, duckdb_excel::LocaleIndentifier, bool) ()
duckdb/duckdb#9  0x0000000001ba0854 in duckdb_excel::SvNumberformat::SvNumberformat(std::string&, duckdb_excel::LocaleData*, duckdb_excel::ImpSvNumberInputScan*, unsigned short&, duckdb_excel::LocaleIndentifier, bool) ()
duckdb/duckdb#10 0x0000000001b7b10b in duckdb::GetNumberFormatString(std::string&, double) ()
duckdb/duckdb#11 0x0000000001b7b235 in duckdb::NumberFormatScalarFunction(duckdb::Vector&, double, duckdb::string_t) ()
duckdb/duckdb#12 0x0000000001b7d5ab in duckdb::NumberFormatFunction(duckdb::DataChunk&, duckdb::ExpressionState&, duckdb::Vector&) ()
duckdb/duckdb#13 0x0000000000a9a107 in duckdb::ExpressionExecutor::Execute(duckdb::Expression const&, duckdb::ExpressionState*, duckdb::SelectionVector const*, unsigned long, duckdb::Vector&) ()
duckdb/duckdb#14 0x0000000000a9a865 in duckdb::ExpressionExecutor::EvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, bool) ()
duckdb/duckdb#15 0x0000000000a9aaad in duckdb::ExpressionExecutor::TryEvaluateScalar(duckdb::ClientContext&, duckdb::Expression const&, duckdb::Value&) ()
duckdb/duckdb#16 0x0000000000c8f966 in duckdb::ConstantFoldingRule::Apply(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Expression>, true>&, bool&, bool) ()
duckdb/duckdb#17 0x0000000000c9b6ce in duckdb::ExpressionRewriter::ApplyRules(duckdb::LogicalOperator&, duckdb::vector<std::reference_wrapper<duckdb::Rule>, true> const&, duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>, bool&, bool) ()
duckdb/duckdb#18 0x0000000000c9b94a in duckdb::ExpressionRewriter::VisitExpression(duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*) ()
duckdb/duckdb#19 0x0000000000d4d410 in duckdb::LogicalOperatorVisitor::EnumerateExpressions(duckdb::LogicalOperator&, std::function<void (duckdb::unique_ptr<duckdb::Expression, std::default_delete<duckdb::Expression>, true>*)> const&) ()
duckdb/duckdb#20 0x0000000000d4d7ad in duckdb::LogicalOperatorVisitor::VisitOperatorExpressions(duckdb::LogicalOperator&) ()
duckdb/duckdb#21 0x0000000000c9f512 in duckdb::ExpressionRewriter::VisitOperator(duckdb::LogicalOperator&) ()
duckdb/duckdb#22 0x0000000000c9a476 in duckdb::Optimizer::RunOptimizer(duckdb::OptimizerType, std::function<void ()> const&) ()
duckdb/duckdb#23 0x0000000000c9c167 in duckdb::Optimizer::Optimize(duckdb::unique_ptr<duckdb::LogicalOperator, std::default_delete<duckdb::LogicalOperator>, true>) ()
duckdb/duckdb#24 0x0000000000b00189 in duckdb::ClientContext::CreatePreparedStatementInternal(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >) ()
duckdb/duckdb#25 0x0000000000b009c3 in duckdb::ClientContext::CreatePreparedStatement(duckdb::ClientContextLock&, std::string const&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>, duckdb::optional_ptr<std::unordered_map<std::string, duckdb::Value, duckdb::CaseInsensitiveStringHashFunction, duckdb::CaseInsensitiveStringEquality, std::allocator<std::pair<std::string const, duckdb::Value> > > >, duckdb::PreparedStatementMode) ()
duckdb/duckdb#26 0x0000000000b00b4c in std::_Function_handler<void (), duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>)::{lambda()#1}>::_M_invoke(std::_Any_data const&) ()
duckdb/duckdb#27 0x0000000000af9c49 in duckdb::ClientContext::RunFunctionInTransactionInternal(duckdb::ClientContextLock&, std::function<void ()> const&, bool) ()
duckdb/duckdb#28 0x0000000000afa6a2 in duckdb::ClientContext::PrepareInternal(duckdb::ClientContextLock&, duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
duckdb/duckdb#29 0x0000000000b08678 in duckdb::ClientContext::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
duckdb/duckdb#30 0x0000000000b08725 in duckdb::Connection::Prepare(duckdb::unique_ptr<duckdb::SQLStatement, std::default_delete<duckdb::SQLStatement>, true>) ()
duckdb/duckdb#31 0x00000000006da751 in duckdb_shell_sqlite3_prepare_v2 ()
duckdb/duckdb#32 0x00000000006c7f40 in shell_exec ()
duckdb/duckdb#33 0x00000000006c9b50 in runOneSqlLine.constprop.0 ()
duckdb/duckdb#34 0x00000000006d2025 in process_input ()
duckdb/duckdb#35 0x00000000006a6ab7 in main ()

OS:

Ubuntu 22.04 x64

DuckDB Version:

v0.10.2

DuckDB Client:

cli

Full Name:

Jingzhou Fu

Affiliation:

Wingtecher Lab of Tsinghua University

What is the latest build you tested with? If possible, we recommend testing with the latest nightly build.

I have tested with a nightly build

Did you include all relevant data sets for reproducing the issue?

Yes

Did you include all code required to reproduce the issue?

  • Yes, I have

Did you include all relevant configuration (e.g., CPU architecture, Python version, Linux distribution) to reproduce the issue?

  • Yes, I have
@hannes hannes changed the title DuckDB crashes with a crafted TEXT expression Excel extension crashes with a crafted TEXT expression May 13, 2024
@Mytherin Mytherin transferred this issue from duckdb/duckdb May 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fuboat