Package: libmspack0
Version: 0.4-3
Severity: grave
Tags: security
Usertags: afl
Sorry, it's me again! libmspack crashes on the attached file:
$ gpg -d < crash.chm.asc > crash.chm
$ test/chmd_md5 crash.chm
*** crash.chm
WARNING; contents are corrupt
d41d8cd98f00b204e9800998ecf8427e /#ITBITS
5c9d7ff7a1fdaf9bcb9b3fc78b677972 /#SYSTEM
Segmentation fault
Backtrace:
#0 0x56559ca6 in search_chunk (chm=0x565641a8, chunk=0x565652e8 "PMGL\323\r",
filename=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData", result=0xffffd3a4,
result_end=0xffffd3a8) at mspack/chmd.c:805
#1 0x5655943b in chmd_fast_find (base=0x56564008, chm=0x565641a8, filename=0x5656098c
"::DataSpace/Storage/MSCompressed/ControlData", f_ptr=0xffffd430, f_size=28) at
mspack/chmd.c:581
#2 0x5655b3c7 in find_sys_file (self=0x56564008, sec=0x565641d8, f_ptr=0x565641e4,
name=0x5656098c "::DataSpace/Storage/MSCompressed/ControlData") at
mspack/chmd.c:1304
#3 0x5655aa4a in chmd_init_decomp (self=0x56564008, file=0x56565228) at
mspack/chmd.c:1075
#4 0x5655a787 in chmd_extract (base=0x56564008, file=0x56565228, filename=0x0)
at mspack/chmd.c:998
#5 0x56556304 in main (argc=2, argv=0xffffd848) at test/chmd_md5.c:44
The problem is that the bounds check in mspack/chmd.c:788:
if (name_len > end - p) goto chunk_end;
doesn't work on 32-bit systems if "p" is already bigger than "end" (as
is the case for crash.chm), because negative "end - p" gets
automatically converted to unsigned int.
A quick and dirty fix would be to rewrite the bounds checks as
if (p > end || name_len > end - p) goto chunk_end;
but it'd be better to fix the thing that sets "p" to a value past the
"end".
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libmspack0 depends on:
ii libc6 2.19-13
ii multiarch-support 2.19-13
--
Jakub Wilk
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
owFbK/A+iTO5KLE4Qy85Izdk95sJniHBbswMDAwJQMwIxGnzOZdxsjAwCPxlrFlV
fUFwHg/DgpNKz94IovFB6kFAAkpXQOkQAQh9Bkr/Y4TQLsoMKABobwBIKgSIuUAC
QPVMUDf8BwKYOhAbJAZyU9Ykplg9xQuCc39C3BAClYeBAF93n8u8CH1gvfpADoe+
sqdLhIdLEGOjzwIwL8QJ6ACQsfrKwSFBnn7uwYwLaxiBMsGRwSGuvgzsbAuqgLwQ
/wBPZ6CUjwCQExrkA1TLuDBDBMIJcfJhXBjDw62fmZeSWqGXUZKbw8jQ6CNiZeWS
WJIYXJCYnKrvl5ib6pNZXMLAYKOBLB5ckl+UmJ6q7xvsnJ9bUJRaXJyaou+cn1eS
mlfCsIihyUOHKNVF+TkgVQxZMpoE1QOl8jzz0vIZkjj0CSoOKUrMK07LL8rVB7ve
Ri2eBC3V5m7ORhaWJga6li7GhrqGhi5AlpORua6BgaOBs6Whq6WzuXOtvmdecUli
XnIq0Nyz9AXngZhhFIyCUTAKRsEoGAWjYBSMglHwa6AdMApGAYlgNWMXgzWDAIMc
AxMDD0MoQx5DMkM+Qy5DAUMRAwA=
=s4xD
-----END PGP MESSAGE-----
_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
