On 2015-01-18 18:59:33 [+0100], Jakub Wilk wrote:
> Sorry, it's me again! libmspack crashes on the attached file:
As I've seen your ubsan reports, I assumed you were done. Wrong this
was.
> $ gpg -d < crash.chm.asc > crash.chm
> $ test/chmd_md5 crash.chm
> *** crash.chm
>
> but it'd be better to fix the thing that sets "p" to a value past the "end".
So something like the patch attached then?. But this should be
double-checked in case we properly come to end and don't continue
using p anymore. But not today…
Sebastian
>From d78acf012a47fb4e868a87ef738a947ad3aa7ea3 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Sun, 18 Jan 2015 22:47:45 +0100
Subject: [PATCH] mspack/chmd: check p > end also after we left
Jakub's AFL produced a case where "p" reads the name_len just just at the
end of the buffer. The macro increases p and makes it bigger than end.
The following oversize check fails on 32bit and booooom. The patch ensures
that we check p vs end even after we legally leave the loop.
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
mspack/chmd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mspack/chmd.c b/mspack/chmd.c
index 4caff45..22661f2 100644
--- a/mspack/chmd.c
+++ b/mspack/chmd.c
@@ -257,6 +257,7 @@ static const unsigned char guids[32] = {
if (p > end) goto chunk_end; \
(var) = ((var) << 7) | (*p & 0x7F); \
} while (*p++ & 0x80); \
+ if (p > end) goto chunk_end; \
} while (0)
static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
--
2.1.3
_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
