Skip to content

Commit

Permalink
Fix benign 1-byte buffer over-write in OLE2 parser
Browse files Browse the repository at this point in the history
The office art structure for OLE2 documents records the file name
length using a `uint8_t`, meaning the name may be up to 255 bytes in
length, not including the null terminating byte. If the length is
255 then the parser will write the null-terminating byte just after
the end of the name buffer on the stack.

This issue does not cause a crash and is not a vulnerability.

This fix extends the size of stack array to account for the null
terminator.

Thank you Michał Dardas for reporting this issue.
  • Loading branch information
ragusaa committed Apr 4, 2022
1 parent d209051 commit 2c91aa7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libclamav/xlm_extract.c
Expand Up @@ -4441,7 +4441,7 @@ cl_error_t process_blip_store_container(const unsigned char *blip_store_containe
const unsigned char *embeddedBlip;
size_t embeddedBlip_size;
char *blip_file_name = NULL;
char blip_name_buffer[255] = {0};
char blip_name_buffer[256] = {0};

if (FBSE_record_data->cbName > 0) {
memcpy(blip_name_buffer,
Expand Down

0 comments on commit 2c91aa7

Please sign in to comment.