[Pkg-clamav-devel] Bug#775498: libmspack: off-by-one buffer over-read in mspack/mszipd.c

Jakub Wilk jwilk at debian.org
Fri Jan 16 12:31:56 UTC 2015 

Package: libmspack0
Version: 0.4-3
Tags: patch
Usertags: afl

There's an off-by-one buffer over-read in mspack/mszipd.c; please see 
the attached patch. I don't believe it's exploitable, but I could be 
wrong.

To reproduce the bug, rebuild libmspack with -fsanitize=address and 
run:

$ test/cabd_md5 mszip-over-read.cab
*** mszip-over-read.cab
=================================================================
==761==ERROR: AddressSanitizer: global-buffer-overflow on address 0x08076dde at pc 0x806adc0 bp 0xffeb3998 sp 0xffeb398c
READ of size 1 at 0x08076dde thread T0
    #0 0x806adbf in inflate mspack/mszipd.c:268
    #1 0x806c3a7 in mszipd_decompress mspack/mszipd.c:426
    #2 0x8056b04 in cabd_extract mspack/cabd.c:1074
    #3 0x804a8e3 in main test/cabd_md5.c:145
    #4 0xf70f1a62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
    #5 0x8048f10 (/home/jwilk/libmspack-0.4/test/cabd_md5+0x8048f10)

0x08076dde is located 0 bytes to the right of global variable 'dist_extrabits' from 'mspack/mszipd.c' (0x8076dc0) of size 30
0x08076dde is located 34 bytes to the left of global variable 'bitlen_order' from 'mspack/mszipd.c' (0x8076e00) of size 19


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmspack0 depends on:
ii  libc6              2.19-13
ii  multiarch-support  2.19-13

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mszipd-over-read.diff
Type: text/x-diff
Size: 309 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20150116/1ea16fe6/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mszipd-over-read.cab
Type: application/x-cab
Size: 212 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20150116/1ea16fe6/attachment.cab>

More information about the Pkg-clamav-devel mailing list