Closed
Description
When compiling ytnef with address sanitizer enabled (a compiler feature to detect invalid memory access), it shows an out of bounds read in the function MAPIPrint. This doesn't require any malformed input, it happens with many of the test files shipped in the dir test-data.
To reproduce:
- Compile ytnef 1.9.1 with address sanitizer: ./autogen.sh; ./configure; make CFLAGS="-fsanitize=address -g"
- Run
ytnefprint/ytnefprint test-data/rtf.tnef
or
ytnefprint/ytnefprint test-data/winmail.dat
Here's the error message from address sanitizer:
==22088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb0 at pc 0x7f67eb0cc60a bp 0x7ffd04a671e0 sp 0x7ffd04a671d8
READ of size 8 at 0x60200000eeb0 thread T0
#0 0x7f67eb0cc609 in MAPIPrint /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1393
#1 0x5578281d9bbc in PrintTNEF /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:169
#2 0x5578281d9116 in main /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:84
#3 0x7f67ead471e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)
#4 0x5578281d8d79 in _start (/mnt/ram/ytnef-1.9.1-2/ytnefprint/.libs/ytnefprint+0x1d79)
0x60200000eeb4 is located 0 bytes to the right of 4-byte region [0x60200000eeb0,0x60200000eeb4)
allocated by thread T0 here:
#0 0x7f67eb3a4660 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2660)
#1 0x7f67eb0c3f2a in TNEFFillMapi /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:544
#2 0x7f67eb0c28da in TNEFMapiProperties /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:396
#3 0x7f67eb0cac16 in TNEFParse /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1180
#4 0x7f67eb0c9ac6 in TNEFParseFile /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1042
#5 0x5578281d90dc in main /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:80
#6 0x7f67ead471e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)
Metadata
Metadata
Assignees
Labels
No labels