Package: libchm1
Version: 2:0.40a-3+b1
Usertags: afl
CHMLIB crashes with SIGFPE on the attached file:
$ enum_chmLib crash.chm
Floating point exception
GDB says it's a modulo by zero:
Program received signal SIGFPE, Arithmetic exception.
0xf7fbcd55 in __umoddi3 () from /usr/lib/libchm.so.1
(gdb) bt
#0 0xf7fbcd55 in __umoddi3 () from /usr/lib/libchm.so.1
#1 0xf7fba035 in _chm_decompress_region (h=0x804b008, buf=0xffffd65c "\002",
start=106, len=28) at chm_lib.c:1526
#2 0xf7fba336 in chm_retrieve_object (h=0x804b008, ui=0xffffd440, buf=0xffffd65c
"\002", addr=0, len=28) at chm_lib.c:1596
#3 0xf7fb8b98 in chm_open (filename=0xffffda0b "crash.chm") at chm_lib.c:934
#4 0x08048842 in main (c=2, v=0xffffd854) at enum_chmLib.c:69
(gdb) up
#1 0xf7fba035 in _chm_decompress_region (h=0x804b008, buf=0xffffd65c "\002",
start=106, len=28) at chm_lib.c:1526
1526 if (h->cache_block_indices[nBlock % h->cache_num_blocks] == nBlock
&&
(gdb) print h->cache_num_blocks
$1 = 0
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the
first crash (which took a few seconds). It's likely that extensive
fuzzing would uncover more interesting crashers. I'd encourage CHMLIB
maintainers to perform fuzzing with AFL on their own. :-)
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libchm1 depends on:
ii libc6 2.19-13
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
