Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bounds read in DecompressRTF #34

Closed
hannob opened this issue Feb 24, 2017 · 4 comments
Closed

out of bounds read in DecompressRTF #34

hannob opened this issue Feb 24, 2017 · 4 comments

Comments

@hannob
Copy link

hannob commented Feb 24, 2017

The attached file causes an out of bounds read detectable with asan in the function DecompressRTF.
ytnef-DecompressRTF.zip

Here's the address sanitizer error:

==8156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000042b at pc 0x000000519cdc bp 0x7ffe04710870 sp 0x7ffe04710868
READ of size 1 at 0x61900000042b thread T0
    #0 0x519cdb in DecompressRTF /mnt/ram/ytnef/lib/ytnef.c:1548:31
    #1 0x51184b in MAPIPrint /mnt/ram/ytnef/lib/ytnef.c:1417:39
    #2 0x50a2cb in PrintTNEF /mnt/ram/ytnef/ytnefprint/main.c:169:5
    #3 0x509693 in main /mnt/ram/ytnef/ytnefprint/main.c:84:5
    #4 0x7f0b10c8c1e0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r1/work/glibc-2.24/csu/../csu/libc-start.c:289
    #5 0x419979 in _start (/mnt/ram/ytnef/ytnefprint/ytnefprint+0x419979)

0x61900000042b is located 0 bytes to the right of 939-byte region [0x619000000080,0x61900000042b)
allocated by thread T0 here:
    #0 0x4d05c0 in calloc (/mnt/ram/ytnef/ytnefprint/ytnefprint+0x4d05c0)
    #1 0x50f11d in TNEFFillMapi /mnt/ram/ytnef/lib/ytnef.c:513:26
    #2 0x50cb60 in TNEFMapiProperties /mnt/ram/ytnef/lib/ytnef.c:396:7
    #3 0x5161f4 in TNEFParseFile /mnt/ram/ytnef/lib/ytnef.c:1042:10
    #4 0x50965d in main /mnt/ram/ytnef/ytnefprint/main.c:80:9
@Yeraze
Copy link
Owner

Yeraze commented Feb 25, 2017

I think this is already resolved by #32

@hannob
Copy link
Author

hannob commented Feb 25, 2017

No, I have tested it with latest git + pull req 32. (But I'm having some trouble reproducing it under certain conditions. Right now it only reproduces with clang, not with gcc.)

Yeraze added a commit that referenced this issue Feb 25, 2017
You could potentially overflow the input pointer.

in response to #34
@Yeraze
Copy link
Owner

Yeraze commented Feb 25, 2017

I'm running it with clang on my MAcbook, and can't trigger your error. I think there's still a potential bug here so I added a sanity check, see if it disappears for you.

@Yeraze
Copy link
Owner

Yeraze commented Mar 7, 2017

Closing as part of 1.9.2 release.

@Yeraze Yeraze closed this as completed Mar 7, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants