Merge pull request #32 from Yeraze/security/out_of_bounds_MAPIPrint

BugFix - data length error
Yeraze · Mar 7, 2017 · b4133d8 · b4133d8
2 parents 73ef200 + 22f8346
commit b4133d8
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,27 @@
+v1.9.2 - February 23, 2017 
+
+Thanks to @hannob for finding some Out-of-bound exceptions in memory handline.
+* [SECURITY] An invalid memory access (heap overrun) in handling LONG datatypes
+* [SECURITY] Missing a check for fields of size 0
+* [SECURITY] Potential buffer overrun on incoming Compressed RTF Streams
+
+This version  & the previous 1.9.1 resolves the following CVEs:
+* CVE-2017-6306
+* CVE-2017-6305
+* CVE-2017-6304
+* CVE-2017-6303
+* CVE-2017-6302
+* CVE-2017-6301
+* CVE-2017-6300
+* CVE-2017-6299
+* CVE-2017-6298
+
+v1.9.1 - Feb 14, 2017
+* BugFix for path handling- label both / and \ as invalid characters inattachments
+* Remove lots of exit(-1)'s from the code that would crash calling programs
+* [SECURITY] Thanks to EricSesterhennX41 for a patch to fix lots of invalid
+memory allocation around corrupted files.
+
 v1.9 - January 2, 2017
 * Unify libytnef and ytnef tools into a single build & package (Thanks @jmallach)
 * Fix applied for CVE-2010-5109

diff --git a/configure.ac b/configure.ac
@@ -4,7 +4,7 @@
 # PATCH version when you make backwards-compatible bug fixes.
 m4_define([version_major],1)
 m4_define([version_minor],9)
-m4_define([version_micro],1)
+m4_define([version_micro],2)
 m4_define([version_triplet],version_major.version_minor.version_micro)
 
 AC_PREREQ([2.63])

diff --git a/lib/ytnef.c b/lib/ytnef.c
@@ -1147,6 +1147,10 @@ int TNEFParse(TNEFStruct *TNEF) {
   while (TNEFGetHeader(TNEF, &type, &size) == 0) {
     DEBUG2(TNEF->Debug, 2, "Header says type=0x%X, size=%u", type, size);
     DEBUG2(TNEF->Debug, 2, "Header says type=%u, size=%u", type, size);
+    if(size == 0) {
+      printf("ERROR: Field with size of 0\n");
+      return YTNEF_ERROR_READING_DATA;
+    }
     data = calloc(size, sizeof(BYTE));
     ALLOCCHECK(data);
     if (TNEFRawRead(TNEF, data, size, &header_checksum) < 0) {
@@ -1390,7 +1394,7 @@ void MAPIPrint(MAPIProps *p) {
           printf("] (%llu)\n", ddword_tmp);
           break;
         case PT_LONG:
-          printf("    Value: %li\n", *((long*)mapidata->data));
+          printf("    Value: %i\n", *((int*)mapidata->data));
           break;
         case PT_I2:
           printf("    Value: %hi\n", *((short int*)mapidata->data));
@@ -1537,7 +1541,7 @@ BYTE *DecompressRTF(variableLength *p, int *size) {
     ALLOCCHECK_CHAR(dst);
     memcpy(dst, comp_Prebuf.data, comp_Prebuf.size);
     out = comp_Prebuf.size;
-    while (out < (comp_Prebuf.size + uncompressedSize)) {
+    while ((out < (comp_Prebuf.size + uncompressedSize)) && (in < p->size)) {
       // each flag byte flags 8 literals/references, 1 per bit
       flags = (flagCount++ % 8 == 0) ? src[in++] : flags >> 1;
       if ((flags & 1) == 1) { // each flag bit is 1 for reference, 0 for literal

diff --git a/test-data/test.sh b/test-data/test.sh
@@ -21,3 +21,5 @@ diff results data
 ../ytnefprint/ytnefprint ./winmail.dat  | grep -A 1 PR_RTF_SYNC_BODY_CRC     | grep 872404792
 ../ytnefprint/ytnefprint ./winmail.dat  | grep -A 1 PR_RTF_SYNC_BODY_COUNT   | grep 90
 ../ytnefprint/ytnefprint ./winmail.dat  | grep -A 18 PR_RTF_COMPRESSED       | grep '\pard Casdasdfasdfasd\\par'
+
+../ytnefprint/ytnefprint ./ytnef-oob-TNEFVersion-SwapWord | grep 'ERROR: Field with size of 0'
diff --git a/test-data/ytnef-oob-TNEFVersion-SwapWord b/test-data/ytnef-oob-TNEFVersion-SwapWord
diff --git a/travis-build.sh b/travis-build.sh
@@ -3,7 +3,11 @@ set -ev
 mkdir -p m4
 autoreconf -vfi
 ./configure --disable-dependency-tracking
-make
+if [ "$TRAVIS_OS_NAME" == "osx" ] || [ "$CC" == "clang" ]; then
+  make CFLAGS="-fsanitize=address -g"
+else
+  make
+fi
 sudo make install
 
 export LD_LIBRARY_PATH=/usr/local/lib:${LD_LIBRARY_PATH}