Morning,
A heap-based buffer overflow flaw was reported in ppthtml:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729279
Looking in xlhtml-0.5-15.fc19.src.rpm, I think the root cause of the problem is in __OLEdecode() with an under allocation here:
163 BDepot = (U8 *) malloc (0x0200 * (num_bbd_blocks + num_xbbd_blocks));
That still passes this check:
167 assert (num_bbd_blocks <= (0x0200 / 4 - 1) * num_xbbd_blocks +
168 (0x0200 / 4) - 19);
I suspect the overflow eventually occurs in this loop:
184 for (i = 0; i < num_xbbd_blocks; i++)
with:
203 fread (s, 0x0200, 1, input);
204 test_exitf (!ferror (input), 5, ends ());
205 s += 0x0200;
continually executed (but haven't tested thoroughly!!!).
Can a CVE please be assigned?
(Cc'ing Salvatore in case there is more information in the Debian report that I cannot see.)
Cheers,
--
Murray McAllister / Red Hat Security Response Team