New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integer underflow in unicode_to_utf8 #23
Labels
Comments
This has been assigned CVE-2017-8911 |
verdammelt
added a commit
that referenced
this issue
May 28, 2017
1. Assert that names must be non-zero length. 2. Keep unicode_to_utf8 from underflowing.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Jun 20, 2017
* 1.4.15 [28 May 2017] ** Fix underflow problem *** verdammelt/tnef#23 * 1.4.14 [19 March 2017] ** Use __builtin_mul_overflow when available. ** Fixing Unicode related bugs introduced in previous release. *** verdammelt/tnef#20
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this issue
Jun 20, 2017
* 1.4.15 [28 May 2017] ** Fix underflow problem *** verdammelt/tnef#23 * 1.4.14 [19 March 2017] ** Use __builtin_mul_overflow when available. ** Fixing Unicode related bugs introduced in previous release. *** verdammelt/tnef#20
Is the change supposed to still do a core dump ? |
Yes. The assertion fails and the application terminates, dumping core. It is not an unexpected core dump such as from memory access problem - but on purpose by using |
OK, thanks for the info. I'll get the Fedora built rpm packages pushes soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tnef 1.4.14
tnef -f $file
==11058== Invalid write of size 1
==11058== at 0x41526B: unicode_to_utf8 (util.c:98)
==11058== by 0x40BC14: mapi_attr_read (mapi_attr.c:215)
==11058== by 0x412BD8: parse_file (tnef.c:305)
==11058== by 0x402433: main (main.c:380)
unsigned char*
unicode_to_utf8 (size_t len, unsigned char* buf)
{
int i = 0;
int j = 0;
unsigned char utf8 = malloc (3 * len/2 + 1); / won't get any longer than this */
poc.zip
The text was updated successfully, but these errors were encountered: