BugFix - Potential OOB with Fields of Size 0

Thanks to @hannob for contributing a malformed TNEF stream with a Version field of size 0. Now such files will return an error indicating invalid data.
Yeraze · Feb 24, 2017 · 3cb0f91 · 3cb0f91
1 parent 19818f3
commit 3cb0f91
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/lib/ytnef.c b/lib/ytnef.c
@@ -1147,6 +1147,10 @@ int TNEFParse(TNEFStruct *TNEF) {
   while (TNEFGetHeader(TNEF, &type, &size) == 0) {
     DEBUG2(TNEF->Debug, 2, "Header says type=0x%X, size=%u", type, size);
     DEBUG2(TNEF->Debug, 2, "Header says type=%u, size=%u", type, size);
+    if(size == 0) {
+      printf("ERROR: Field with size of 0\n");
+      return YTNEF_ERROR_READING_DATA;
+    }
     data = calloc(size, sizeof(BYTE));
     ALLOCCHECK(data);
     if (TNEFRawRead(TNEF, data, size, &header_checksum) < 0) {

diff --git a/test-data/test.sh b/test-data/test.sh
@@ -21,3 +21,5 @@ diff results data
 ../ytnefprint/ytnefprint ./winmail.dat  | grep -A 1 PR_RTF_SYNC_BODY_CRC     | grep 872404792
 ../ytnefprint/ytnefprint ./winmail.dat  | grep -A 1 PR_RTF_SYNC_BODY_COUNT   | grep 90
 ../ytnefprint/ytnefprint ./winmail.dat  | grep -A 18 PR_RTF_COMPRESSED       | grep '\pard Casdasdfasdfasd\\par'
+
+../ytnefprint/ytnefprint ./ytnef-oob-TNEFVersion-SwapWord | grep 'ERROR: Field with size of 0'
diff --git a/test-data/ytnef-oob-TNEFVersion-SwapWord b/test-data/ytnef-oob-TNEFVersion-SwapWord