Skip to content

out of bounds read with test data in MAPIPrint #28

Closed
@hannob

Description

@hannob

When compiling ytnef with address sanitizer enabled (a compiler feature to detect invalid memory access), it shows an out of bounds read in the function MAPIPrint. This doesn't require any malformed input, it happens with many of the test files shipped in the dir test-data.

To reproduce:

  • Compile ytnef 1.9.1 with address sanitizer: ./autogen.sh; ./configure; make CFLAGS="-fsanitize=address -g"
  • Run
    ytnefprint/ytnefprint test-data/rtf.tnef
    or
    ytnefprint/ytnefprint test-data/winmail.dat

Here's the error message from address sanitizer:

==22088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb0 at pc 0x7f67eb0cc60a bp 0x7ffd04a671e0 sp 0x7ffd04a671d8
READ of size 8 at 0x60200000eeb0 thread T0
    #0 0x7f67eb0cc609 in MAPIPrint /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1393
    #1 0x5578281d9bbc in PrintTNEF /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:169
    #2 0x5578281d9116 in main /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:84
    #3 0x7f67ead471e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)
    #4 0x5578281d8d79 in _start (/mnt/ram/ytnef-1.9.1-2/ytnefprint/.libs/ytnefprint+0x1d79)

0x60200000eeb4 is located 0 bytes to the right of 4-byte region [0x60200000eeb0,0x60200000eeb4)
allocated by thread T0 here:
    #0 0x7f67eb3a4660 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2660)
    #1 0x7f67eb0c3f2a in TNEFFillMapi /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:544
    #2 0x7f67eb0c28da in TNEFMapiProperties /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:396
    #3 0x7f67eb0cac16 in TNEFParse /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1180
    #4 0x7f67eb0c9ac6 in TNEFParseFile /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1042
    #5 0x5578281d90dc in main /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:80
    #6 0x7f67ead471e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions