Discussion:
[oss-security] catdoc: out of bounds heap read and nullpointer / segfault
Hanno Böck
2018-11-25 08:57:37 UTC
Permalink
I reported two memory safety bugs in the command line tool catdoc.
However the mails to the developer bounced.

The first is an out of bounds heap read, to detect it catdoc needs to
be compiled with address sanitizer (test it with -fsanitize=address in
CFLAGS).

The second is a null pointer and will just crash catdoc.


ASAN crash traces:

==4036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000015d1 at pc 0x00000050560c bp 0x7ffe3d0b7d40 sp 0x7ffe3d0b7d38
READ of size 1 at 0x6020000015d1 thread T0
#0 0x50560b in getlong /f/catdoc/catdoc-0.95/src/numutils.c:22:37
#1 0x506c7d in ole_init /f/catdoc/catdoc-0.95/src/ole.c:254:18
#2 0x4fa2df in analyze_format /f/catdoc/catdoc-0.95/src/analyze.c:58:17
#3 0x4f6bec in main /f/catdoc/catdoc-0.95/src/catdoc.c:180:6
#4 0x7fa1362ae4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
#5 0x41b489 in _start (/r/catdoc/catdoc+0x41b489)

0x6020000015d1 is located 0 bytes to the right of 1-byte region [0x6020000015d0,0x6020000015d1)
allocated by thread T0 here:
#0 0x4c5973 in malloc (/r/catdoc/catdoc+0x4c5973)
#1 0x505e70 in ole_init /f/catdoc/catdoc-0.95/src/ole.c:119:10
#2 0x4fa2df in analyze_format /f/catdoc/catdoc-0.95/src/analyze.c:58:17
#3 0x4f6bec in main /f/catdoc/catdoc-0.95/src/catdoc.c:180:6
#4 0x7fa1362ae4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)



And:

==6151==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000509f93 bp 0x0c18000000d1 sp 0x7fff4819ed80 T0)
==6151==The signal is caused by a READ memory access.
==6151==Hint: address points to the zero page.
#0 0x509f92 in calcFileBlockOffset /f/catdoc/catdoc-0.95/src/ole.c
#1 0x509f92 in ole_read /f/catdoc/catdoc-0.95/src/ole.c:493
#2 0x4fa3ec in analyze_format /f/catdoc/catdoc-0.95/src/analyze.c:64:14
#3 0x4f6bec in main /f/catdoc/catdoc-0.95/src/catdoc.c:180:6
#4 0x7f70645a64ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
#5 0x41b489 in _start (/r/catdoc/catdoc+0x41b489)
--
Hanno Böck
https://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Agostino Sarubbo
2018-11-25 12:09:12 UTC
Permalink
Post by Hanno Böck
I reported two memory safety bugs in the command line tool catdoc.
However the mails to the developer bounced.
The first is an out of bounds heap read, to detect it catdoc needs to
be compiled with address sanitizer (test it with -fsanitize=address in
CFLAGS).
The second is a null pointer and will just crash catdoc.
Hi Hanno,

something about catdoc was already reported time ago:
https://marc.info/?l=oss-security&m=142627461816744&w=2

I don't know atm if your findings are duplicate or not.
--
Agostino Sarubbo
Gentoo Linux Developer
Hanno Böck
2018-11-25 14:18:53 UTC
Permalink
Hi,

On Sun, 25 Nov 2018 13:09:12 +0100
Post by Agostino Sarubbo
https://marc.info/?l=oss-security&m=142627461816744&w=2
I don't know atm if your findings are duplicate or not.
There was a version with fixes inbetween (0.95, may 2016) which says in
the changelog "Fixed lot of segfaults on incorrect or corrupted
data" [1].
My reports are mainly to have it publicly referenced that it's still
not robust.


[1] https://www.wagner.pp.ru/~vitus/software/catdoc/changelog.html
--
Hanno Böck
https://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Loading...