Bug#810883: catdoc: Invalid memory access and segfaulting

Wed, 13 Jan 2016 02:27:48 -0800 


Package: catdoc
Version: 0.94.4-1.1
Severity: important
Tags: security

Dear Maintainer,

The attached word document will cause catdoc to crash when executed:

     catdoc x.doc

When running under valgrind we see that an attempt is made to access
an invalid pointer:

==6875== Invalid read of size 8
==6875==    at 0x41B91D: map_subst (substmap.c:151)
==6875==    by 0x417E08: convert_char (charsets.c:241)
==6875==    by 0x4064E0: copy_out (reader.c:82)
==6875==    by 0x40A807: analyze_format (analyze.c:75)
==6875==    by 0x40378B: main (catdoc.c:180)
==6875==  Address 0xd221cf8 is not stack'd, malloc'd or (recently) free'd

Running under gdb we see this is the area of code in question:

(gdb) run ~/x.doc
Starting program: /home/steve/inst/bin/catdoc x.doc

Program received signal SIGSEGV, Segmentation fault.
0x000000000041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1)
    at substmap.c:151
151             char **p=map[(unsigned)uc >>8];
(gdb) bt
#0  0x000000000041b91d in map_subst (map=0x6ad1a0, uc=uc@entry=-1)
    at substmap.c:151
#1  0x0000000000417e09 in convert_char (uc=-1) at charsets.c:241
#2  0x00000000004064e1 in copy_out (f=f@entry=0x6aec90,
    header=header@entry=0x7fffffffe340 "P\317\021\340\241\261\032\341\032")
    at reader.c:82
#3  0x000000000040a808 in analyze_format (f=f@entry=0x6aec90) at analyze.c:75
#4  0x000000000040378c in main (argc=<optimized out>, argv=<optimized out>)
    at catdoc.c:180


I'm reporting this as "important" because I believe that running
catdoc on untrusted input should not result in a segfault.  It may
be a security-sensitive issue too, although that is not 100%
confirmed.


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages catdoc depends on:
ii  libc6  2.19-18+deb8u1

catdoc recommends no packages.

Versions of packages catdoc suggests:
ii  tk [wish]  8.6.0+8

-- no debconf information

Attachment: x.doc.gz
Description: application/gzip

Reply via email to