[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#862708: overread of heap-data in TNEFDefaultHandler by a missing null byte

Package: libytnef0
Version:  1.9.2-1
Severity:  normal
Tags: security

Hi,

We find the following code may cause over-read of buffer and leak extra bytes to the output.
The reason is that the data char array is user controlled value and not guaranteed to end with a '\0' byte. So it needs extra checking or we can force the last byte to be '\0'.

libytnef.c: 246
int TNEFDefaultHandler STD_ARGLIST {
  if (TNEF->Debug >= 1){ 
+          data[size-1]='\0';
    printf("%s: [%i] %s\n", TNEFList[id].name, size, data);}
  return 0;
}
To verify this, use the testcase from:
https://github.com/bingosxs/fuzzdata/raw/master/ytnef-1.9/18-TNEFDefaultHandler.tnef

run the sample with command:

ytnef/.libs/ytnef -v 18-TNEFDefaultHandler.tnef

The tracelog is:
=================================================================


canicula@canicula-Lenovo-Product-64:~/afl/test/libytnef0/testenv$ valgrind ./bin/ytnef -v ../../libytnef0/testenv/out/crashes/id\:000018\,sig\:06\,src\:000011\,op\:int16\,pos\:1141\,val\:+16 
==16517== Memcheck, a memory error detector
==16517== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==16517== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==16517== Command: ./bin/ytnef -v ../../libytnef0/testenv/out/crashes/id:000018,sig:06,src:000011,op:int16,pos:1141,val:+16
==16517== 
Attempting to parse ../../libytnef0/testenv/out/crashes/id:000018,sig:06,src:000011,op:int16,pos:1141,val:+16...
Request Response: [2] �
==16517== Invalid read of size 1
==16517==    at 0x50A8CC0: vfprintf (vfprintf.c:1632)
==16517==    by 0x50AF898: printf (printf.c:33)
==16517==    by 0x4E3BE42: TNEFDefaultHandler (ytnef.c:250)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517==  Address 0x5424b71 is 0 bytes after a block of size 1 alloc'd
==16517==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16517==    by 0x4E46450: TNEFParse (ytnef.c:1154)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517== 
Message Status: [1] !
==16517== Invalid write of size 4
==16517==    at 0x4E3F381: TNEFFillMapi (ytnef.c:543)
==16517==    by 0x4E3D582: TNEFMapiProperties (ytnef.c:396)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517==  Address 0x5427cd8 is 8 bytes after a block of size 0 alloc'd
==16517==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16517==    by 0x4E3F213: TNEFFillMapi (ytnef.c:482)
==16517==    by 0x4E3D582: TNEFMapiProperties (ytnef.c:396)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517== 
==16517== Invalid write of size 8
==16517==    at 0x4E3F39A: TNEFFillMapi (ytnef.c:544)
==16517==    by 0x4E3D582: TNEFMapiProperties (ytnef.c:396)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517==  Address 0x5427cd0 is 0 bytes after a block of size 0 alloc'd
==16517==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16517==    by 0x4E3F213: TNEFFillMapi (ytnef.c:482)
==16517==    by 0x4E3D582: TNEFMapiProperties (ytnef.c:396)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517== 
==16517== Invalid read of size 4
==16517==    at 0x4E3F437: TNEFFillMapi (ytnef.c:548)
==16517==    by 0x4E3D582: TNEFMapiProperties (ytnef.c:396)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517==  Address 0x5427cd8 is 8 bytes after a block of size 0 alloc'd
==16517==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16517==    by 0x4E3F213: TNEFFillMapi (ytnef.c:482)
==16517==    by 0x4E3D582: TNEFMapiProperties (ytnef.c:396)
==16517==    by 0x4E46C49: TNEFParse (ytnef.c:1184)
==16517==    by 0x4E45C85: TNEFParseFile (ytnef.c:1042)
==16517==    by 0x4017F8: main (main.c:125)
==16517== 
Corrupted file detected at ytnef.c : 546
ERROR Parsing MAPI block
calendar.ics
==16517== 
==16517== HEAP SUMMARY:
==16517==     in use at exit: 2,124 bytes in 531 blocks
==16517==   total heap usage: 607 allocs, 76 frees, 17,132 bytes allocated
==16517== 
==16517== LEAK SUMMARY:
==16517==    definitely lost: 2,124 bytes in 531 blocks
==16517==    indirectly lost: 0 bytes in 0 blocks
==16517==      possibly lost: 0 bytes in 0 blocks
==16517==    still reachable: 0 bytes in 0 blocks
==16517==         suppressed: 0 bytes in 0 blocks
==16517== Rerun with --leak-check=full to see details of leaked memory
==16517== 
==16517== For counts of detected and suppressed errors, rerun with: -v
==16517== ERROR SUMMARY: 1593 errors from 4 contexts (suppressed: 0 from 0)

--------------------------------------------------------

self ref:: https://github.com/Yeraze/ytnef/issues/48

Credits: National Computer Network Emergency Response Technical Team/Coordination Center of China. Wang Bo, Fan Lejun, Wu Qian. TCA, ISCAS.
Reply to: