Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bounds read with test data in MAPIPrint #28

Closed
hannob opened this issue Feb 15, 2017 · 3 comments
Closed

out of bounds read with test data in MAPIPrint #28

hannob opened this issue Feb 15, 2017 · 3 comments

Comments

@hannob
Copy link

hannob commented Feb 15, 2017

When compiling ytnef with address sanitizer enabled (a compiler feature to detect invalid memory access), it shows an out of bounds read in the function MAPIPrint. This doesn't require any malformed input, it happens with many of the test files shipped in the dir test-data.

To reproduce:

  • Compile ytnef 1.9.1 with address sanitizer: ./autogen.sh; ./configure; make CFLAGS="-fsanitize=address -g"
  • Run
    ytnefprint/ytnefprint test-data/rtf.tnef
    or
    ytnefprint/ytnefprint test-data/winmail.dat

Here's the error message from address sanitizer:

==22088==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb0 at pc 0x7f67eb0cc60a bp 0x7ffd04a671e0 sp 0x7ffd04a671d8
READ of size 8 at 0x60200000eeb0 thread T0
    #0 0x7f67eb0cc609 in MAPIPrint /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1393
    #1 0x5578281d9bbc in PrintTNEF /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:169
    #2 0x5578281d9116 in main /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:84
    #3 0x7f67ead471e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)
    #4 0x5578281d8d79 in _start (/mnt/ram/ytnef-1.9.1-2/ytnefprint/.libs/ytnefprint+0x1d79)

0x60200000eeb4 is located 0 bytes to the right of 4-byte region [0x60200000eeb0,0x60200000eeb4)
allocated by thread T0 here:
    #0 0x7f67eb3a4660 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2660)
    #1 0x7f67eb0c3f2a in TNEFFillMapi /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:544
    #2 0x7f67eb0c28da in TNEFMapiProperties /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:396
    #3 0x7f67eb0cac16 in TNEFParse /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1180
    #4 0x7f67eb0c9ac6 in TNEFParseFile /mnt/ram/ytnef-1.9.1-2/lib/ytnef.c:1042
    #5 0x5578281d90dc in main /mnt/ram/ytnef-1.9.1-2/ytnefprint/main.c:80
    #6 0x7f67ead471e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)
@Yeraze
Copy link
Owner

Yeraze commented Feb 24, 2017

Please review the new PR and see if this resolves this issue (it did for me on all the sample data).

@hannob
Copy link
Author

hannob commented Feb 24, 2017

Can confirm the PR fixes the bug.
I noticed that you added address sanitizer for some of your tests, but then removed it again for gcc claiming that it doesn't work with that. Not sure where you got that from, asan is available in gcc since a long time, unless you're using a really old version it should work.

@Yeraze
Copy link
Owner

Yeraze commented Feb 24, 2017

The version on travis errored that it was an unrecognized argument. gcc 4.6.3

https://travis-ci.org/Yeraze/ytnef/builds/204712035

@Yeraze Yeraze closed this as completed Feb 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants