oss-sec mailing list archives
Re: Buffer overflow in antiword 0.37
From: Murray McAllister <mmcallis () redhat com>
Date: Tue, 02 Dec 2014 17:27:04 +1100
On 12/02/2014 03:18 AM, Fabian Keil wrote:
The attached patch prevents a buffer overflow in antiword 0.37 (http://www.winfield.demon.nl/): Program received signal SIGBUS, Bus error. 0x000000000044b55b in vName2String (szName=0x80140d58c "\"\037\202 \306!n\"n#n$n3", aucBytes=0x7fffffffde20 "\"", tNameSize=32767) at wordole.c:74 74 *pcChar = (char)aucBytes[tIndex]; (gdb) f 1 #1 0x00000000004499f2 in bGetPPS (pFile=0x800c19190, aulRootList=0x801409060, tRootListLen=4, pPPS=0x7fffffffe3b0) at wordole.c:262 262 vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize); (gdb) l - 257 atPPSlist = xfree(atPPSlist); 258 return FALSE; 259 } 260 tNameSize = (size_t)usGetWord(0x40, aucBytes); 261 tNameSize = (tNameSize + 1) / 2; 262 vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize); 263 atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes); 264 if (atPPSlist[iIndex].ucType == 5) { 265 iRootIndex = iIndex; 266 } (gdb) p sizeof(atPPSlist[iIndex].szName) $1 = 32 (gdb) p tNameSize $2 = 32767 (gdb) l vName2String 56 /* 57 * vName2String - turn the name into a proper string. 58 */ 59 static void 60 vName2String(char *szName, const UCHAR *aucBytes, size_t tNameSize) 61 { 62 char *pcChar; 63 size_t tIndex; 64 65 fail(aucBytes == NULL || szName == NULL); (gdb) l 66 67 if (tNameSize < 2) { 68 szName[0] = '\0'; 69 return; 70 } 71 for (tIndex = 0, pcChar = szName; 72 tIndex < 2 * tNameSize; 73 tIndex += 2, pcChar++) { 74 *pcChar = (char)aucBytes[tIndex]; 75 } (gdb) 76 szName[tNameSize - 1] = '\0'; 77 } /* end of vName2String */ The buffer overflow has been reported upstream and the patch was accepted, but apparently there will not be an official antiword release any time soon. The bug was found with afl-fuzz. Fabian
This issue was assigned CVE-2014-8123 on the distros list. Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- Buffer overflow in antiword 0.37 Fabian Keil (Dec 01)
- Re: Buffer overflow in antiword 0.37 Murray McAllister (Dec 01)
- Re: Buffer overflow in antiword 0.37 Fabian Keil (Dec 04)