An integer overflow vulnerability exists in the LZX decompression routines of CHMLib (tested in version 0.40, latest release as of 2025). The issue occurs within lzx.c during bitstream parsing (lzx_read_lens and LZXdecompress), where crafted CHM files can supply values that cause left-shift operations to exceed the representable range of 32-bit signed integers. When processing malformed compressed blocks, operations such as: leaf = pos >> 16; table[(next_symbol << 1)] = 0; bitbuf |= ((inpos[1]<<8)|inpos[0]) << (ULONG_BITS-16 - bitsleft); perform shifts on large values (value << 16), triggering undefined behavior. This corrupts the Huffman decode tables and decompression state.
*Impact:* - Crafted CHM files can crash applications using CHMLib by causing failures or illegal memory operations during decompression. - Although direct heap overflows were not observed in this testing, the corrupted decompression state (match_length, match_offset) could under certain inputs lead to out-of-bounds reads or writes. *Proof of Concept:* ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \ UBSAN_OPTIONS=print_stacktrace=1 \ ./chmextract crafted_overflow_lzx.chm /tmp/out *Observed errors:* lzx.c:663:37: runtime error: left shift of 39074 by 16 places cannot be represented in type 'int' lzx.c:569:25: runtime error: left shift of 53200 by 16 places cannot be represented in type 'int' lzx.c:440:9: runtime error: left shift of 63471 by 16 places cannot be represented in type 'int' _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
