Skip to content

integer underflow in unicode_to_utf8  #23

Closed
@yyyyxf

Description

@yyyyxf

tnef 1.4.14
tnef -f $file

==11058== Invalid write of size 1
==11058== at 0x41526B: unicode_to_utf8 (util.c:98)
==11058== by 0x40BC14: mapi_attr_read (mapi_attr.c:215)
==11058== by 0x412BD8: parse_file (tnef.c:305)
==11058== by 0x402433: main (main.c:380)

unsigned char*
unicode_to_utf8 (size_t len, unsigned char* buf)
{
int i = 0;
int j = 0;
unsigned char utf8 = malloc (3 * len/2 + 1); / won't get any longer than this */

for (i = 0; i < len - 1; i += 2)
when len is 0, (len - 1) underflow

poc.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions