[Pkg-clamav-devel] Bug#774767: Bug#774726: libmspack: CHM decompression: pointer arithmetic overflow
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Wed Jan 7 12:13:57 UTC 2015
* Jakub Wilk | 2015-01-06 21:18:30 [+0100]:
>Two sample CHM files that trigger segfaults, which are caused by the
>overflows, are also attached.
>
>This bug does affect ClamAV.
How do you trigger this? I tried both files with "cabextract -t",
clamdscan, clamscan and chmd_md5. None of those segfaulted, I saw
however the message from clamscan --debug:
|Scanning /home/bigeasy/crash449.chm
|LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
|LibClamAV debug: Recognized MS CHM file
|LibClamAV debug: cache_check: 18e5f920cca46633a9d21539c00603d2 is negative
|LibClamAV debug: mspack_fmap_message() WARNING; PMGL quickref area is too large
|LibClamAV debug: mspack_fmap_message() WARNING; contents are corrupt
|LibClamAV debug: CDBNAME:CL_TYPE_MSCHM:0:/#IDXHDR:0:4096:0:0:0:(nil)
|LibClamAV debug: cli_scanmschm() failed to extract 8
|LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
|LibClamAV debug: cli_magic_scandesc: returning 8 at line 2327
|/home/bigeasy/crash449.chm: Can't open file or directory ERROR
which seems that it noticed the invalid structure and aborted.
I had however no problem reproduce the previous bug. I tried amd64
stable + unstable. Any hints?
Sebastian
More information about the Pkg-clamav-devel
mailing list