integer underflow in unicode_to_utf8

[yyyyxf]

tnef 1.4.14 tnef -f $file

==11058== Invalid write of size 1 ==11058== at 0x41526B: unicode_to_utf8 (util.c:98) ==11058== by 0x40BC14: mapi_attr_read (mapi_attr.c:215) ==11058== by 0x412BD8: parse_file (tnef.c:305) ==11058== by 0x402433: main (main.c:380)

unsigned char unicode_to_utf8 (size_t len, unsigned char buf) { int i = 0; int j = 0; unsigned char utf8 = malloc (3 len/2 + 1); / won't get any longer than this /

for (i = 0; i < len - 1; i += 2)
when len is 0, (len - 1) underflow

poc.zip

[carnil]

This has been assigned CVE-2017-8911

[dtimms]

$ tnef -V
tnef 1.4.15
Copyright (C) 1999-2017 by Mark Simpson
Copyright (C) 1997 by Thomas Boll (original code)
tnef comes with ABSOLUTELY NO WARRANTY.
...
$ tnef -f poc.tnef 
tnef: mapi_attr.c:215: mapi_attr_read: Assertion `a->names[i].len != 0' failed.
Aborted (core dumped)

---

Is the change supposed to still do a core dump ?

[verdammelt]

Yes. The assertion fails and the application terminates, dumping core. It is not an unexpected core dump such as from memory access problem - but on purpose by using assert.

[dtimms]

OK, thanks for the info. I'll get the Fedora built rpm packages pushes soon.