Fix benign 1-byte buffer over-write in OLE2 parser

ragusaa · web-flow · commit 2c91aa741e67 · 2022-04-04T15:29:03.000-07:00
The office art structure for OLE2 documents records the file name
length using a `uint8_t`, meaning the name may be up to 255 bytes in
length, not including the null terminating byte. If the length is
255 then the parser will write the null-terminating byte just after
the end of the name buffer on the stack.

This issue does not cause a crash and is not a vulnerability.

This fix extends the size of stack array to account for the null
terminator.

Thank you Michał Dardas for reporting this issue.
diff --git a/libclamav/xlm_extract.c b/libclamav/xlm_extract.c
@@ -4441,7 +4441,7 @@ cl_error_t process_blip_store_container(const unsigned char *blip_store_containe
                     const unsigned char *embeddedBlip;
                     size_t embeddedBlip_size;
                     char *blip_file_name       = NULL;
-                    char blip_name_buffer[255] = {0};
+                    char blip_name_buffer[256] = {0};
 
                     if (FBSE_record_data->cbName > 0) {
                         memcpy(blip_name_buffer,
