[Pkg-clamav-devel] Bug#775687: libmspack: CHM decompression: another pointer arithmetic overflow
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sun Jan 18 22:00:33 UTC 2015
On 2015-01-18 18:59:33 [+0100], Jakub Wilk wrote:
> Sorry, it's me again! libmspack crashes on the attached file:
As I've seen your ubsan reports, I assumed you were done. Wrong this
was.
> $ gpg -d < crash.chm.asc > crash.chm
> $ test/chmd_md5 crash.chm
> *** crash.chm
>
> but it'd be better to fix the thing that sets "p" to a value past the "end".
So something like the patch attached then?. But this should be
double-checked in case we properly come to end and don't continue
using p anymore. But not today…
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mspack-chmd-check-p-end-also-after-we-left.patch
Type: text/x-diff
Size: 1063 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20150118/9a4a30a9/attachment.patch>
More information about the Pkg-clamav-devel
mailing list