oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow in antiword 0.37

From: Murray McAllister <mmcallis () redhat com>
Date: Tue, 02 Dec 2014 17:27:04 +1100
On 12/02/2014 03:18 AM, Fabian Keil wrote:

The attached patch prevents a buffer overflow in antiword 0.37
(http://www.winfield.demon.nl/):

Program received signal SIGBUS, Bus error.
0x000000000044b55b in vName2String (szName=0x80140d58c "\"\037\202 \306!n\"n#n$n3", aucBytes=0x7fffffffde20 "\"", 
tNameSize=32767) at wordole.c:74
74                      *pcChar = (char)aucBytes[tIndex];
(gdb) f 1
#1  0x00000000004499f2 in bGetPPS (pFile=0x800c19190, aulRootList=0x801409060, tRootListLen=4, pPPS=0x7fffffffe3b0) at 
wordole.c:262
262                     vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
(gdb) l -
257                             atPPSlist = xfree(atPPSlist);
258                             return FALSE;
259                     }
260                     tNameSize = (size_t)usGetWord(0x40, aucBytes);
261                     tNameSize = (tNameSize + 1) / 2;
262                     vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
263                     atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
264                     if (atPPSlist[iIndex].ucType == 5) {
265                             iRootIndex = iIndex;
266                     }
(gdb) p sizeof(atPPSlist[iIndex].szName)
$1 = 32
(gdb) p tNameSize
$2 = 32767
(gdb) l vName2String
56      /*
57       * vName2String - turn the name into a proper string.
58       */
59      static void
60      vName2String(char *szName, const UCHAR *aucBytes, size_t tNameSize)
61      {
62              char    *pcChar;
63              size_t  tIndex;
64      
65              fail(aucBytes == NULL || szName == NULL);
(gdb) l
66      
67              if (tNameSize < 2) {
68                      szName[0] = '\0';
69                      return;
70              }
71              for (tIndex = 0, pcChar = szName;
72                   tIndex < 2 * tNameSize;
73                   tIndex += 2, pcChar++) {
74                      *pcChar = (char)aucBytes[tIndex];
75              }
(gdb)
76              szName[tNameSize - 1] = '\0';
77      } /* end of vName2String */

The buffer overflow has been reported upstream and the patch was accepted,
but apparently there will not be an official antiword release any time soon.

The bug was found with afl-fuzz.

Fabian



This issue was assigned CVE-2014-8123 on the distros list.

Cheers,

--
Murray McAllister / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: