liblnk_io_handle_read_data_blocks does not check data size before reading 4 byte signature

[joachimmetz]

disclosed PoC files affecting liblnk

Per #13
Someone else also found some relevant crashes, please see http://seclists.org/fulldisclosure/2018/Jun/33

This issue was not directly reported to the liblnk project

Also looks overkill to get CVEs for minor OOB reads:

• liblnk_data_string_get_utf8_string_size 1 byte OOB read
• liblnk_location_information_read_data 2 byte OOB read
• liblnk_data_block_read 1 byte OOB read

allows remote attackers to cause an information disclosure (heap-based buffer
over-read) via a crafted lnk file

Until date no proof has been presented to back up these claims

[joachimmetz]

liblnk_io_handle_read_data_blocks: reading data block at offset: 2503 (0x000009c7)
liblnk_io_handle_read_data_blocks: data block size                      : 4

==27738== Invalid read of size 1
==27738==    at 0x4593A4: liblnk_data_block_read (liblnk_data_block.c:296)
==27738==    by 0x4473C3: liblnk_file_open_read (liblnk_file.c:1486)
==27738==    by 0x4461C3: liblnk_file_open_file_io_handle (liblnk_file.c:627)
==27738==    by 0x445F1C: liblnk_file_open (liblnk_file.c:345)
==27738==    by 0x40185C: info_handle_open_input (info_handle.c:415)
==27738==    by 0x404638: main (lnkinfo.c:265)

[joachimmetz]

liblnk_data_block_read does not ensure block data size > 4 when trying to read the block signature.

[joachimmetz]

Addressed in cb7fe0c