catdoc icon indicating copy to clipboard operation
catdoc copied to clipboard
verified publisher icon petewarden

Heap-buffer-overflow in catdoc version 0.95 (numutils.c)

Open nafiez opened this issue 7 years ago • 1 comments

There's an buffer overflow found during fuzzing. ASAN output:

john@fuzzing:~/catdoc/out/crashes$ catdoc id:000001,sig:06,src:000001,op:flip1,pos:50 ==4172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5f01618 at pc 0x0805f499 bp 0xbfbb1c68 sp 0xbfbb1c58 READ of size 1 at 0xb5f01618 thread T0 0 0x805f498 in getlong /home/john/catdoc/src/numutils.c:22 1 0x8064aae in ole_init /home/john/catdoc/src/ole.c:254 2 0x8050f8b in analyze_format /home/john/catdoc/src/analyze.c:58 3 0x804aab4 in main /home/john/catdoc/src/catdoc.c:180 4 0xb7891636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 5 0x804ba7b (/usr/local/bin/catdoc+0x804ba7b)

0xb5f01618 is located 6 bytes to the right of 2-byte region [0xb5f01610,0xb5f01612) allocated by thread T0 here: 0 0xb7ac5dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) 1 0xb78ee2c5 in __strdup (/lib/i386-linux-gnu/libc.so.6+0x752c5)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/john/catdoc/src/numutils.c:22 getlong Shadow bytes around the buggy address: 0x36be0270: fa fa 02 fa fa fa 05 fa fa fa 03 fa fa fa 02 fa 0x36be0280: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa 0x36be0290: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa 0x36be02a0: fa fa 04 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa 0x36be02b0: fa fa 03 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa =>0x36be02c0: fa fa 02[fa]fa fa 02 fa fa fa 02 fa fa fa 02 fa 0x36be02d0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa 0x36be02e0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 03 fa 0x36be02f0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa 0x36be0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36be0310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==4172==ABORTING

Test file: crashed_file.zip

nafiez avatar May 04 '18 08:05 nafiez

Similar bug from https://catdocbugs.neocities.org/

  • bug17-numutils-asan.doc
  • bug20-numutils-asan.doc
  • bug26-numutils-asan.doc

nafiez avatar May 04 '18 09:05 nafiez