Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

integer underflow in unicode_to_utf8 #23

Closed
yyyyxf opened this issue May 10, 2017 · 4 comments
Closed

integer underflow in unicode_to_utf8 #23

yyyyxf opened this issue May 10, 2017 · 4 comments
Labels

Comments

@yyyyxf
Copy link

yyyyxf commented May 10, 2017

tnef 1.4.14
tnef -f $file

==11058== Invalid write of size 1
==11058== at 0x41526B: unicode_to_utf8 (util.c:98)
==11058== by 0x40BC14: mapi_attr_read (mapi_attr.c:215)
==11058== by 0x412BD8: parse_file (tnef.c:305)
==11058== by 0x402433: main (main.c:380)

unsigned char*
unicode_to_utf8 (size_t len, unsigned char* buf)
{
int i = 0;
int j = 0;
unsigned char utf8 = malloc (3 * len/2 + 1); / won't get any longer than this */

for (i = 0; i < len - 1; i += 2)
when len is 0, (len - 1) underflow

poc.zip

@verdammelt verdammelt added the bug label May 10, 2017
@carnil
Copy link

carnil commented May 12, 2017

This has been assigned CVE-2017-8911

verdammelt added a commit that referenced this issue May 28, 2017
1. Assert that names must be non-zero length.
2. Keep unicode_to_utf8 from underflowing.
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jun 20, 2017
* 1.4.15 [28 May 2017]
** Fix underflow problem
*** verdammelt/tnef#23

* 1.4.14 [19 March 2017]
** Use __builtin_mul_overflow when available.
** Fixing Unicode related bugs introduced in previous release.
*** verdammelt/tnef#20
jsonn pushed a commit to jsonn/pkgsrc that referenced this issue Jun 20, 2017
* 1.4.15 [28 May 2017]
** Fix underflow problem
*** verdammelt/tnef#23

* 1.4.14 [19 March 2017]
** Use __builtin_mul_overflow when available.
** Fixing Unicode related bugs introduced in previous release.
*** verdammelt/tnef#20
@dtimms
Copy link
Contributor

dtimms commented Oct 24, 2017

$ tnef -V
tnef 1.4.15
Copyright (C) 1999-2017 by Mark Simpson
Copyright (C) 1997 by Thomas Boll (original code)
tnef comes with ABSOLUTELY NO WARRANTY.
...
$ tnef -f poc.tnef 
tnef: mapi_attr.c:215: mapi_attr_read: Assertion `a->names[i].len != 0' failed.
Aborted (core dumped)

Is the change supposed to still do a core dump ?

@verdammelt
Copy link
Owner

Yes. The assertion fails and the application terminates, dumping core. It is not an unexpected core dump such as from memory access problem - but on purpose by using assert.

@dtimms
Copy link
Contributor

dtimms commented Oct 26, 2017

OK, thanks for the info. I'll get the Fedora built rpm packages pushes soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants