ppthtml heap-based buffer overflow

2013.11.14

Credit: Murray McAllister

Risk: High

Local: Yes

Remote: No

CVE: CVE-2013-4565

CWE: CWE-119

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Morning,

A heap-based buffer overflow flaw was reported in ppthtml:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729279

Looking in xlhtml-0.5-15.fc19.src.rpm, I think the root cause of the problem is in __OLEdecode() with an under allocation here:

163   BDepot = (U8 *) malloc (0x0200 * (num_bbd_blocks + num_xbbd_blocks));

That still passes this check:

167   assert (num_bbd_blocks <=  (0x0200 / 4 - 1) * num_xbbd_blocks +
168                              (0x0200 / 4) - 19);

I suspect the overflow eventually occurs in this loop:

184   for (i = 0; i < num_xbbd_blocks; i++)

with:

203       fread (s, 0x0200, 1, input);
204       test_exitf (!ferror (input), 5, ends ());
205       s += 0x0200;

continually executed (but haven't tested thoroughly!!!).

Can a CVE please be assigned?

(Cc'ing Salvatore in case there is more information in the Debian report that I cannot see.)

Cheers,

--
Murray McAllister / Red Hat Security Response Team

References:

http://seclists.org/oss-sec/2013/q4/278

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729279

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ppthtml heap-based buffer overflow

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.