[Pkg-clamav-devel] Bug#775499: libmspack: off-by-one(?) buffer under-read in mspack/lzxd.c

Jakub Wilk jwilk at debian.org
Fri Jan 16 12:32:22 UTC 2015 

Package: libmspack0
Version: 0.4-3
Usertags: afl

There's an off-by-one(?) buffer under-read in mspack/lzxd.c. To 
reproduce the bug, rebuild libmspack with -fsanitize=address and run:

$ test/cabd_md5 lzxd-under-read.cab
*** lzxd-under-read.cab
ERROR; file "test1.txt" cannot be extracted, cabinet set is incomplete.
lzxd-under-read.cab: error extracting "test1.txt": error in data format
=================================================================
==8354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a028ff at pc 0x80604a7 bp 0xffdf8028 sp 0xffdf801c
READ of size 1 at 0xf4a028ff thread T0
    #0 0x80604a6 in lzxd_decompress mspack/lzxd.c:516
    #1 0x80568c7 in cabd_extract mspack/cabd.c:1067
    #2 0x804a8e3 in main test/cabd_md5.c:145
    #3 0xf707ca62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
    #4 0x8048f10 (/home/jwilk/libmspack-0.4/test/cabd_md5+0x8048f10)

0xf4a028ff is located 1 bytes to the left of 4096-byte region [0xf4a02900,0xf4a03900)
allocated by thread T0 here:
    #0 0xf725c6e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
    #1 0x80497af in m_alloc test/md5_fh.h:111
    #2 0x805c27b in lzxd_init mspack/lzxd.c:313
    #3 0x8057264 in cabd_init_decomp mspack/cabd.c:1126
    #4 0x805634f in cabd_extract mspack/cabd.c:1034
    #5 0x804a8e3 in main test/cabd_md5.c:145
    #6 0xf707ca62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)


The relevant code is:

          /* read 1-16 (not 0-15) bits to align to bytes */
          ENSURE_BITS(16);
          if (bits_left > 16) i_ptr -= 2;
          bits_left = 0; bit_buffer = 0;

          /* read 12 bytes of stored R0 / R1 / R2 values */
          for (rundest = &buf[0], i = 0; i < 12; i++) {
            READ_IF_NEEDED;
            *rundest++ = *i_ptr++;
          }

As I understand it, ENSURE_BITS can rewind i_ptr to the beginning of 
the buffer, and then "i_ptr -= 2" makes the pointer go one (or two?) 
bytes prior to the buffer.


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmspack0 depends on:
ii  libc6              2.19-13
ii  multiarch-support  2.19-13

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lzxd-under-read.cab
Type: application/x-cab
Size: 152 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20150116/63a2076d/attachment.cab>

More information about the Pkg-clamav-devel mailing list