oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer overflow in antiword 0.37

From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Mon, 1 Dec 2014 17:18:06 +0100
The attached patch prevents a buffer overflow in antiword 0.37
(http://www.winfield.demon.nl/):

Program received signal SIGBUS, Bus error.
0x000000000044b55b in vName2String (szName=0x80140d58c "\"\037\202 \306!n\"n#n$n3", aucBytes=0x7fffffffde20 "\"", 
tNameSize=32767) at wordole.c:74
74                      *pcChar = (char)aucBytes[tIndex];
(gdb) f 1
#1  0x00000000004499f2 in bGetPPS (pFile=0x800c19190, aulRootList=0x801409060, tRootListLen=4, pPPS=0x7fffffffe3b0) at 
wordole.c:262
262                     vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
(gdb) l -
257                             atPPSlist = xfree(atPPSlist);
258                             return FALSE;
259                     }
260                     tNameSize = (size_t)usGetWord(0x40, aucBytes);
261                     tNameSize = (tNameSize + 1) / 2;
262                     vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
263                     atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
264                     if (atPPSlist[iIndex].ucType == 5) {
265                             iRootIndex = iIndex;
266                     }
(gdb) p sizeof(atPPSlist[iIndex].szName)
$1 = 32
(gdb) p tNameSize
$2 = 32767
(gdb) l vName2String
56      /*
57       * vName2String - turn the name into a proper string.
58       */
59      static void
60      vName2String(char *szName, const UCHAR *aucBytes, size_t tNameSize)
61      {
62              char    *pcChar;
63              size_t  tIndex;
64      
65              fail(aucBytes == NULL || szName == NULL);
(gdb) l
66      
67              if (tNameSize < 2) {
68                      szName[0] = '\0';
69                      return;
70              }
71              for (tIndex = 0, pcChar = szName;
72                   tIndex < 2 * tNameSize;
73                   tIndex += 2, pcChar++) {
74                      *pcChar = (char)aucBytes[tIndex];
75              }
(gdb) 
76              szName[tNameSize - 1] = '\0';
77      } /* end of vName2String */

The buffer overflow has been reported upstream and the patch was accepted,
but apparently there will not be an official antiword release any time soon.

The bug was found with afl-fuzz.

Fabian

Attachment: antiword-bGetPPS-Prevent-buffer-overflow-of-atPPSlist-.szName.diff
Description:

Attachment: _bin
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: