search

Yeraze / ytnef

Yeraze's TNEF Stream Reader - for winmail.dat files
GNU General Public License v2.0
32 stars 22 forks source link

heap-buffer-overrun problem in TNEFDateHandler #46

Closed bingosxs closed 6 years ago

bingosxs commented 7 years ago

We discover a heap overrun problem in the TNEFDateHandler function. The cause is a missing boundary checker. We propose a patch as follows:

ytnef.0/lib/ytnef.c +683
  for (i = 0; i < sizeof(dtr) / sizeof(WORD); i++) {
++    char *d=tmp_src;
++    SIZECHECK(sizeof(WORD));
    *tmp_dst++ = SwapWord((BYTE *)tmp_src++, sizeof(WORD));
  }
  return 0;

the trace log from valgrind is : 


==5901== Memcheck, a memory error detector
==5901== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==5901== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==5901== Command: ./ytnef/.libs/ytnef -v ../libytnef0/testenv/out/crashes/id:000038,sig:11,src:000179,op:ext_AO,pos:122
==5901== 
Attempting to parse ../libytnef0/testenv/out/crashes/id:000038,sig:11,src:000179,op:ext_AO,pos:122...
==5901== Invalid read of size 1
==5901==    at 0x4E3CC92: SwapWord (ytnef.c:153)
==5901==    by 0x4E3C050: TNEFDateHandler (ytnef.c:686)
==5901==    by 0x4E40A90: TNEFParse (ytnef.c:1188)
==5901==    by 0x4E40432: TNEFParseFile (ytnef.c:1046)
==5901==    by 0x4013EB: main (main.c:125)
==5901==  Address 0x541c788 is 0 bytes after a block of size 8 alloc'd
==5901==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5901==    by 0x4E4086B: TNEFParse (ytnef.c:1158)
==5901==    by 0x4E40432: TNEFParseFile (ytnef.c:1046)
==5901==    by 0x4013EB: main (main.c:125)
==5901== 
Out of Memory at ytnef.c : 426
ERROR Parsing MAPI block
==5901== Invalid read of size 4
==5901==    at 0x4E40E0C: MAPIFindUserProp (ytnef.c:1221)
==5901==    by 0x401637: ProcessTNEF (main.c:168)
==5901==    by 0x40146A: main (main.c:130)
==5901==  Address 0x14 is not stack'd, malloc'd or (recently) free'd
==5901== 
==5901== 
==5901== Process terminating with default action of signal 11 (SIGSEGV)
==5901==  Access not within mapped region at address 0x14
==5901==    at 0x4E40E0C: MAPIFindUserProp (ytnef.c:1221)
==5901==    by 0x401637: ProcessTNEF (main.c:168)
==5901==    by 0x40146A: main (main.c:130)
==5901==  If you believe this happened as a result of a stack
==5901==  overflow in your program's main thread (unlikely but
==5901==  possible), you can try to increase the size of the
==5901==  main thread stack using the --main-stacksize= flag.
==5901==  The main thread stack size used in this run was 8388608.
==5901== 
==5901== HEAP SUMMARY:
==5901==     in use at exit: 0 bytes in 0 blocks
==5901==   total heap usage: 9 allocs, 9 frees, 5,732 bytes allocated
==5901== 
==5901== All heap blocks were freed -- no leaks are possible
==5901== 
==5901== For counts of detected and suppressed errors, rerun with: -v
==5901== ERROR SUMMARY: 7 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault

The testcase can be downloaded here: testcase

bingosxs commented 7 years ago

valgrind ./ytnef/.libs/ytnef -v testcase will reproduce the problem.

asarubbo commented 7 years ago

This is a duplicate of #39

Yeraze commented 6 years ago

Released in https://github.com/Yeraze/ytnef/releases/tag/v1.9.3