Bug#1008092: antiword: Buffer overflow in the vAnalyseSummaryInfo function in summary.c in Antiword 0.37

Tue, 22 Mar 2022 04:00:17 -0700 

Package: antiword
Version: 0.37-16
Severity: important
X-Debbugs-Cc: jieyong...@gmail.com

Dear Maintainer,

Description of problem:
antiword crashes with the provided doc file

How reproducible:
antiword vAnalyseSummaryInfo.poc.doc

Backtraces:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at 
summary.c:225
225                     switch (tPropID) {
(gdb) bt
#0  0x0000000000449515 in vAnalyseSummaryInfo (aucBuffer=0x6928f0 "t\001") at 
summary.c:225
#1  vSetSummaryInfoOLE (pFile=0x68f2e0, pFile@entry=0x37, pPPS=0x7fffffffbb10, 
pPPS@entry=0x68f2e0, aulBBD=0x68fb00, aulBBD@entry=0x7fffffffbb80, tBBDLen=55, 
tBBDLen@entry=37, aulSBD=aulSBD@entry=0x68fe80, tSBDLen=tSBDLen@entry=2)
    at summary.c:628
#2  0x0000000000449bcf in vSet8SummaryInfo (pFile=0xff7f013c, 
pFile@entry=0x68f2e0, pPPS=0x692a08, pPPS@entry=0x7fffffffbb10, aulBBD=0xb, 
aulBBD@entry=0x68fb00, tBBDLen=10, tBBDLen@entry=55, aulSBD=0x692820, 
aulSBD@entry=0x68fe80,
    tSBDLen=29113347658312010, tSBDLen@entry=2, aucHeader=0x2 <error: Cannot 
access memory at address 0x2>) at summary.c:686
#3  0x0000000000442126 in vGetPropertyInfo (pFile=pFile@entry=0x68f2e0, 
pPPS=0x7fffffffbb10, pPPS@entry=0x7fffffffbb00, aulBBD=aulBBD@entry=0x68fb00, 
tBBDLen=<optimized out>, tBBDLen@entry=55, aulSBD=0x68fe80, 
aulSBD@entry=0x68fb00,
    tSBDLen=2, tSBDLen@entry=0, aucHeader=0x7fffffffbb80 "\354\245\301", 
iWordVersion=8) at properties.c:145
#4  0x0000000000458464 in iInitDocumentOLE (pFile=<optimized out>, 
pFile@entry=0x68f2e0, lFilesize=<optimized out>, lFilesize@entry=28672) at 
wordole.c:792
#5  0x00000000004552fb in iInitDocument (pFile=<optimized out>, 
pFile@entry=0x68f2e0, lFilesize=<optimized out>, lFilesize@entry=28672) at 
wordlib.c:325
#6  0x000000000044ce1f in bWordDecryptor (pFile=pFile@entry=0x68f2e0, 
lFilesize=lFilesize@entry=28672, pDiag=0x68fac0) at word2text.c:665
#7  0x0000000000403ef3 in bProcessFile (szFilename=<optimized out>) at 
main_u.c:214
#8  main (argc=2, argv=0x7fffffffe558) at main_u.c:310

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2064638


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-12-amd64 (SMP w/4 CPU threads)
Locale: LANG=zh_CN.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8), 
LANGUAGE=zh_CN:zh
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages antiword depends on:
ii  libc6  2.31-13+deb11u2

antiword recommends no packages.

antiword suggests no packages.

-- no debconf information

Reply via email to