ppthtml heap-based buffer overflow

2013.11.14
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Morning, A heap-based buffer overflow flaw was reported in ppthtml: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729279 Looking in xlhtml-0.5-15.fc19.src.rpm, I think the root cause of the problem is in __OLEdecode() with an under allocation here: 163 BDepot = (U8 *) malloc (0x0200 * (num_bbd_blocks + num_xbbd_blocks)); That still passes this check: 167 assert (num_bbd_blocks <= (0x0200 / 4 - 1) * num_xbbd_blocks + 168 (0x0200 / 4) - 19); I suspect the overflow eventually occurs in this loop: 184 for (i = 0; i < num_xbbd_blocks; i++) with: 203 fread (s, 0x0200, 1, input); 204 test_exitf (!ferror (input), 5, ends ()); 205 s += 0x0200; continually executed (but haven't tested thoroughly!!!). Can a CVE please be assigned? (Cc'ing Salvatore in case there is more information in the Debian report that I cannot see.) Cheers, -- Murray McAllister / Red Hat Security Response Team

References:

http://seclists.org/oss-sec/2013/q4/278
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729279


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top