1 / 10

Microsoft Excel 2007 Bug

Mikko Heinonen 7.2.2008. Microsoft Excel 2007 Bug. Contents. 65535 = 100000 Location of the bug IEEE 754 floating-point format The Bug The Microsoft Hotfix Damages. 65535 = 100000?. Found 22.9.2007 850 * 77,1 = 100000. Should be 65535 Twelve values Excel 2007 formats wrong

inga-kirby
Download Presentation

Microsoft Excel 2007 Bug

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mikko Heinonen 7.2.2008 Microsoft Excel 2007 Bug

  2. Contents • 65535 = 100000 • Location of the bug • IEEE 754 floating-point format • The Bug • The Microsoft Hotfix • Damages

  3. 65535 = 100000? • Found 22.9.2007 • 850 * 77,1 = 100000. Should be 65535 • Twelve values Excel 2007 formats wrong • 9.2*10^18 possible 64-bit floating-point values • ~65535 = 100000 and ~65536 = 100001

  4. Location of the bug • Error in the 64-bit floating-point to string conversion routine. • Routine converts the binary representation of a 64-bit IEEE 754 double to a Unicode text string. • Older 16-bit formatting routine was updated to 32-bit version in Excel 2007.

  5. IEEE 754 64-bit floating-point format • 1 bit for the sign, 11 bits for the exponent, and 52 bits for the mantissa • Mantissa corresponds to 15 digits of decimal accuracy. Excel rounds answers to 15 digits. • 0.1 = 0.000110011001100… • 65535-2^(-37) should be rounded to 65535, but the new 32-bit routine fails.

  6. The Bug • Rendering bug, not a math bug. Numbers stored correctly. 850 * 77,1 * 2 = 131070 • Routine divisor table pointer is pointing to the wrong divisor due to the bug. • 65536(-2^(-37))/65535 = 1, with remainder 1. 1/10000 = 0. 1/1000 = 0. 1 / 100 = 0. 1/10 = 0. 1/1 = 1. => 100001 • -2^(-37) causes the table being misaligned.

  7. The Bug • Overflow possible only when the value sufficiently near an integer 65535. • Routine is hand coded assebly. Likely done to improve performance. • Microsoft engineers should have catch the bug in tests. 65535 = 2^16

  8. The Microsoft Hotfix • Released on 10.10.2007. • 18 days after being found. • Routine fixed by adding new check. • Avoids the overflow causing the table pointer to be set wrong.

  9. Damages • No damages reported. • No security holes found. • Malformed Excel files can be use to find holes or exploits.

  10. References • Chris Lomont : An Analysis of the Excel 2007 “65535” Bug • http://en.wikipedia.org/wiki/IEEE_floating-point_standard

More Related