Package: libytnef0
Version: 1.9.2-1
Severity: normal
Tags: security
Hi,
We find the following code may cause over-read of buffer and leak extra bytes
to the output.
The reason is that the data char array is user controlled value and not
guaranteed to end with a '\0' byte. So it needs extra checking or we can
force the last byte to be '\0'.
libytnef.c: 246 int TNEFDefaultHandler STD_ARGLIST { if (TNEF->Debug >= 1){
+ data[size-1]='\0'; printf("%s: [%i] %s\n", TNEFList[id].name,
size, data);} return 0; }
To verify this, use the testcase from:
https://github.com/bingosxs/fuzzdata/raw/master/ytnef-1.9/18-TNEFDefaultHandler.tnef
run the sample with command:
ytnef/.libs/ytnef -v 18-TNEFDefaultHandler.tnef
The tracelog is:
=================================================================
canicula@canicula-Lenovo-Product-64:~/afl/test/libytnef0/testenv$ valgrind
./bin/ytnef -v
../../libytnef0/testenv/out/crashes/id\:000018\,sig\:06\,src\:000011\,op\:int16\,pos\:1141\,val\:+16
==16517== Memcheck, a memory error detector ==16517== Copyright (C)
2002-2015, and GNU GPL'd, by Julian Seward et al. ==16517== Using
Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==16517== Command:
./bin/ytnef -v
../../libytnef0/testenv/out/crashes/id:000018,sig:06,src:000011,op:int16,pos:1141,val:+16
==16517== Attempting to parse
../../libytnef0/testenv/out/crashes/id:000018,sig:06,src:000011,op:int16,pos:1141,val:+16...
Request Response: [2] � ==16517== Invalid read of size 1 ==16517== at
0x50A8CC0: vfprintf (vfprintf.c:1632) ==16517== by 0x50AF898: printf
(printf.c:33) ==16517== by 0x4E3BE42: TNEFDefaultHandler (ytnef.c:250)
==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517== by 0x4E45C85:
TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125)
==16517== Address 0x5424b71 is 0 bytes after a block of size 1 alloc'd
==16517== at 0x4C2FB55: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E46450:
TNEFParse (ytnef.c:1154) ==16517== by 0x4E45C85: TNEFParseFile
(ytnef.c:1042) ==16517== by 0x4017F8: main (main.c:125) ==16517== Message
Status: [1] ! ==16517== Invalid write of size 4 ==16517== at 0x4E3F381:
TNEFFillMapi (ytnef.c:543) ==16517== by 0x4E3D582: TNEFMapiProperties
(ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517==
by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main
(main.c:125) ==16517== Address 0x5427cd8 is 8 bytes after a block of size 0
alloc'd ==16517== at 0x4C2FB55: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E3F213:
TNEFFillMapi (ytnef.c:482) ==16517== by 0x4E3D582: TNEFMapiProperties
(ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517==
by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main
(main.c:125) ==16517== ==16517== Invalid write of size 8 ==16517== at
0x4E3F39A: TNEFFillMapi (ytnef.c:544) ==16517== by 0x4E3D582:
TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse
(ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517== by 0x4017F8: main (main.c:125) ==16517== Address 0x5427cd0 is 0
bytes after a block of size 0 alloc'd ==16517== at 0x4C2FB55: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E3F213:
TNEFFillMapi (ytnef.c:482) ==16517== by 0x4E3D582: TNEFMapiProperties
(ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517==
by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main
(main.c:125) ==16517== ==16517== Invalid read of size 4 ==16517== at
0x4E3F437: TNEFFillMapi (ytnef.c:548) ==16517== by 0x4E3D582:
TNEFMapiProperties (ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse
(ytnef.c:1184) ==16517== by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517== by 0x4017F8: main (main.c:125) ==16517== Address 0x5427cd8 is 8
bytes after a block of size 0 alloc'd ==16517== at 0x4C2FB55: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16517== by 0x4E3F213:
TNEFFillMapi (ytnef.c:482) ==16517== by 0x4E3D582: TNEFMapiProperties
(ytnef.c:396) ==16517== by 0x4E46C49: TNEFParse (ytnef.c:1184) ==16517==
by 0x4E45C85: TNEFParseFile (ytnef.c:1042) ==16517== by 0x4017F8: main
(main.c:125) ==16517== Corrupted file detected at ytnef.c : 546 ERROR Parsing
MAPI block calendar.ics ==16517== ==16517== HEAP SUMMARY: ==16517== in use
at exit: 2,124 bytes in 531 blocks ==16517== total heap usage: 607 allocs, 76
frees, 17,132 bytes allocated ==16517== ==16517== LEAK SUMMARY: ==16517==
definitely lost: 2,124 bytes in 531 blocks ==16517== indirectly lost: 0
bytes in 0 blocks ==16517== possibly lost: 0 bytes in 0 blocks ==16517==
still reachable: 0 bytes in 0 blocks ==16517== suppressed: 0 bytes in
0 blocks ==16517== Rerun with --leak-check=full to see details of leaked memory
==16517== ==16517== For counts of detected and suppressed errors, rerun with:
-v ==16517== ERROR SUMMARY: 1593 errors from 4 contexts (suppressed: 0 from 0)
--------------------------------------------------------
self ref:: https://github.com/Yeraze/ytnef/issues/48
Credits: National Computer Network Emergency Response Technical
Team/Coordination Center of China. Wang Bo, Fan Lejun, Wu Qian. TCA, ISCAS.
