[Pkg-clamav-devel] Bug#775687: libmspack: CHM decompression: another pointer arithmetic overflow

[Stuart Caie]

On 18/01/2015 22:00, Sebastian Andrzej Siewior wrote:
> On 2015-01-18 18:59:33 [+0100], Jakub Wilk wrote:
>> Sorry, it's me again! libmspack crashes on the attached file:
> As I've seen your ubsan reports, I assumed you were done. Wrong this
> was.
>
>> $ gpg -d < crash.chm.asc > crash.chm
>> $ test/chmd_md5 crash.chm
>> *** crash.chm
>>
>> but it'd be better to fix the thing that sets "p" to a value past the "end".
> So something like the patch attached then?. But this should be
> double-checked in case we properly come to end and don't continue
> using p anymore. But not today…
>
I made this change instead.

@@ -254,7 +254,7 @@
  #define READ_ENCINT(var) do {                  \
      (var) = 0;                                 \
      do {                                       \
-       if (p > end) goto chunk_end;            \
+       if (p >= end) goto chunk_end;           \
         (var) = ((var) << 7) | (*p & 0x7F);     \
      } while (*p++ & 0x80);                     \
  } while (0)

Regards
Stuart