#13 Buffer Overflow in libytnef

open
nobody
5
2013-01-31
2010-02-11
Anonymous
No

Function DecompressRTF() leads to a buffer overflow on certain (not all) TNEF files (presumably, on files, generated by some recent versions of MS software). A sample file causing the buffer overflow is attached.

The buffer overflow occurs only on RTF decoding of such files - for example, if ytnef is called with "-F" flag. If ytnef is called only with "-f" flag, extraction completes successfully.

Backtrace and framing:

(gdb) backtrace
#0 __kernel_vsyscall () at arch/x86/vdso/vdso32/int80.S:16
#1 0x009c3a91 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0x009c535a in abort () at abort.c:92
#3 0x00a0134d in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#4 0x00a8d1ed in __fortify_fail (msg=<value optimized out>) at fortify_fail.c:32
#5 0x00a8b30a in __chk_fail () at chk_fail.c:29
#6 0x00a8a5e4 in __strcpy_chk (dest=<value optimized out>, src=<value optimized out>, destlen=<value optimized out>) at strcpy_chk.c:61
#7 0x00b11f29 in strcpy (p=0x9062198, size=0xbfb292c8) at /usr/include/bits/string3.h:106
#8 DecompressRTF (p=0x9062198, size=0xbfb292c8) at ytnef.c:1331
#9 0x0804bf0e in ProcessTNEF (TNEF=...) at main.c:159
#10 0x0804c222 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:108

#5 0x00a8b30a in __chk_fail () at chk_fail.c:29
29 __fortify_fail ("buffer overflow detected");

#6 0x00a8a5e4 in __strcpy_chk (dest=<value optimized out>, src=<value optimized out>, destlen=<value optimized out>) at strcpy_chk.c:61
61 __chk_fail ();

#7 0x00b11f29 in strcpy (p=0x9062198, size=0xbfb292c8) at /usr/include/bits/string3.h:106
106 {

#8 DecompressRTF (p=0x9062198, size=0xbfb292c8) at ytnef.c:1331
1331 strcpy(comp_Prebuf.data, RTF_PREBUF);

#9 0x0804bf0e in ProcessTNEF (TNEF=...) at main.c:159
159 if ((buf.data = DecompressRTF(filename, &(buf.size))) != NULL) {

If I can help further, please, let me know.

Assen Totin
assen dot totin at gmail dot com

Discussion

  • Example of winmail.dat file, received over email, which causes the RTF buffer overflow

     
    Attachments
  • I can confirm this bug. Thanks to Assen Totin's backtrace I found the erroneous line to be line 1330 in ytnef.c. It should be

    comp_Prebuf.data = calloc(comp_Prebuf.size+1, 1);

    instead of

    comp_Prebuf.data = calloc(comp_Prebuf.size, 1);

    as otherwise there is not enough memory allocated for the string to be copied in line 1331.

     
  • Petr Písař
    Petr Písař
    2012-07-09

    I think copying the trailing zero is unnecessary as it's never accessed. Thus Fedora Linux distribution has incorporated different fix <https://bugzilla.redhat.com/show_bug.cgi?id=831322>.

     
  • UvBDQM <a href="http://zydbswgsdwwb.com/">zydbswgsdwwb</a>, [url=http://cgbphlcfqhqa.com/]cgbphlcfqhqa[/url], [link=http://nkxehbtdlgbz.com/]nkxehbtdlgbz[/link], http://tjbfhgzqzlss.com/

     
  • dg1bKy <a href="http://rmivmhsebddw.com/">rmivmhsebddw</a>, [url=http://dwnkwzbpchen.com/]dwnkwzbpchen[/url], [link=http://pyawynshcqws.com/]pyawynshcqws[/link], http://sujuxqcqsumu.com/