On Thu, Dec 11, 2014 at 6:47 PM, Jakub Wilk <jw...@debian.org> wrote:
> Package: cabextract
> Version: 1.4-4+b1
> Severity: minor
> Usertags: afl
>
> The attached file makes cabextract hang forever (or at least for two
> minutes, after which I lost my patience :-P).
>
> This bug was found using American fuzzy lop:
> http://lcamtuf.coredump.cx/afl/
It's definitely an infinite loop. It gets caught in qtmd_decompress()
and never gets out of the loop on line 290.
The problem seems to be on this line:
/* decode more, up to the number of bytes needed, the frame boundary,
* or the window boundary, whichever comes first */
frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
out_bytes is an off_t (8 bytes) but frame_end is an unsigned int (4
bytes) and it overflows.
If I change the "unsigned int" to "off_t" in the first line of this
function, the function terminates properly and declares the file
corrupt:
marvin% ./cabextract ~/Download/hang.cab
Extracting cabinet: /home/sharkey/Download/hang.cab
extracting limerick
limerick: error in CAB data format
All done, errors in processing 1 file(s)
Stuart, is this the right fix in your opinion?
Eric
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
