catdoc has bugs

[Dean Pierce <pierce403 () gmail com>]

"catdoc" is a command line tool for extracting readable text from
Microsoft office documents.  It is used by the command "less" when
opening a .doc file, and if it's not installed, less will ask you to
install it.  It's also listed as a forensics tool on certain websites.
Catdoc has bugs.

The attached* word documents were generated with American Fuzzy Lop.
The first attached tarball contains 35 somewhat analyzed sample
crashes.  I've also included the raw crash samples with 27 additional
crashes that were generated between the initial disclosure time and
right now.  AFL identified them as unique issues (presumably different
code paths) though the offending code seems to be in the following
places:

substmap.c:151 (crash)
numutils.c:22 (some crash, some trigger ASAN)
ole.c:108 (ASAN)
ole.c:315 (ASAN)

The ASAN crashes indicate memory corruptions, but there are some solid
segfaults in substmap.c and numultils.c.  The crashes seem to be read
violations, so non-trivial to exploit, and since DoS and memory
disclosures aren't super interesting for document parers, it's
unlikely that any of these deserve a CVE.

There are likely more bugs, and catdoc also includes a ppt parser and
an xls parser.

* The attachments were too big (>200k), so I made this website instead
: https://catdocbugs.neocities.org/

  - DEAN