[Pkg-clamav-devel] Bug#775687: libmspack: CHM decompression: another pointer arithmetic overflow

Jakub Wilk jwilk at debian.org
Sun Jan 18 17:59:33 UTC 2015 

Package: libmspack0
Version: 0.4-3
Severity: grave
Tags: security
Usertags: afl

Sorry, it's me again! libmspack crashes on the attached file:

$ gpg -d < crash.chm.asc > crash.chm
$ test/chmd_md5 crash.chm
*** crash.chm
WARNING; contents are corrupt
d41d8cd98f00b204e9800998ecf8427e /#ITBITS
5c9d7ff7a1fdaf9bcb9b3fc78b677972 /#SYSTEM
Segmentation fault

Backtrace:
#0  0x56559ca6 in search_chunk (chm=0x565641a8, chunk=0x565652e8 "PMGL\323\r", filename=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData", result=0xffffd3a4, result_end=0xffffd3a8) at mspack/chmd.c:805
#1  0x5655943b in chmd_fast_find (base=0x56564008, chm=0x565641a8, filename=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData", f_ptr=0xffffd430, f_size=28) at mspack/chmd.c:581
#2  0x5655b3c7 in find_sys_file (self=0x56564008, sec=0x565641d8, f_ptr=0x565641e4, name=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData") at mspack/chmd.c:1304
#3  0x5655aa4a in chmd_init_decomp (self=0x56564008, file=0x56565228) at mspack/chmd.c:1075
#4  0x5655a787 in chmd_extract (base=0x56564008, file=0x56565228, filename=0x0) at mspack/chmd.c:998
#5  0x56556304 in main (argc=2, argv=0xffffd848) at test/chmd_md5.c:44


The problem is that the bounds check in mspack/chmd.c:788:

        if (name_len > end - p) goto chunk_end;

doesn't work on 32-bit systems if "p" is already bigger than "end" (as 
is the case for crash.chm), because negative "end - p" gets 
automatically converted to unsigned int.

A quick and dirty fix would be to rewrite the bounds checks as

        if (p > end || name_len > end - p) goto chunk_end;

but it'd be better to fix the thing that sets "p" to a value past the 
"end".


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmspack0 depends on:
ii  libc6              2.19-13
ii  multiarch-support  2.19-13

-- 
Jakub Wilk
-------------- next part --------------
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

owFbK/A+iTO5KLE4Qy85Izdk95sJniHBbswMDAwJQMwIxGnzOZdxsjAwCPxlrFlV
fUFwHg/DgpNKz94IovFB6kFAAkpXQOkQAQh9Bkr/Y4TQLsoMKABobwBIKgSIuUAC
QPVMUDf8BwKYOhAbJAZyU9Ykplg9xQuCc39C3BAClYeBAF93n8u8CH1gvfpADoe+
sqdLhIdLEGOjzwIwL8QJ6ACQsfrKwSFBnn7uwYwLaxiBMsGRwSGuvgzsbAuqgLwQ
/wBPZ6CUjwCQExrkA1TLuDBDBMIJcfJhXBjDw62fmZeSWqGXUZKbw8jQ6CNiZeWS
WJIYXJCYnKrvl5ib6pNZXMLAYKOBLB5ckl+UmJ6q7xvsnJ9bUJRaXJyaou+cn1eS
mlfCsIihyUOHKNVF+TkgVQxZMpoE1QOl8jzz0vIZkjj0CSoOKUrMK07LL8rVB7ve
Ri2eBC3V5m7ORhaWJga6li7GhrqGhi5AlpORua6BgaOBs6Whq6WzuXOtvmdecUli
XnIq0Nyz9AXngZhhFIyCUTAKRsEoGAWjYBSMglHwa6AdMApGAYlgNWMXgzWDAIMc
AxMDD0MoQx5DMkM+Qy5DAUMRAwA=
=s4xD
-----END PGP MESSAGE-----

More information about the Pkg-clamav-devel mailing list