Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

division by zero in ole.c:390 at libdoc master branch(2019/1/29) when using libdoc.a #5

Closed
wuk0n9 opened this issue Jan 29, 2019 · 2 comments
Closed

division by zero in ole.c:390 at libdoc master branch(2019/1/29) when using libdoc.a #5

wuk0n9 opened this issue Jan 29, 2019 · 2 comments

Comments

@wuk0n9
Copy link

wuk0n9 commented Jan 29, 2019

A crafted input will lead to ’division by zero‘ in ole.c:390 at libdoc master branch(2019/1/29) when using libdoc.a

Triggered by

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Poc
libdoc_poc3.zip

The gdb information is as follows:

Starting program: /root/libdoc-master/example/doc2txt id_0000102,sig_08,src_000304,op_flip1,pos_32
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGFPE, Arithmetic exception.
0x0000000000403669 in calcFileBlockOffset (ole_params=0x7fffffffe0a0, blk=0, e=0x60c00000bd40) at /root/libdoc-master/ole.c:390
390                     long int sbdSecNum=e->blocks[blk]/sbdPerSector;
(gdb) bt
#0  0x0000000000403669 in calcFileBlockOffset (ole_params=0x7fffffffe0a0, blk=0, e=0x60c00000bd40) at /root/libdoc-master/ole.c:390
#1  ole_read (ptr=0x7fffffffe140, size=<optimized out>, nmemb=<optimized out>, stream=0x60c00000bd40, ole_params=0x7fffffffe0a0) at /root/libdoc-master/ole.c:436
#2  0x00000000004020b7 in analyze_format (f=f@entry=0x61200000bec0, out=out@entry=0x61600000f980) at /root/libdoc-master/analyze.c:56
#3  0x0000000000401a94 in doc2text (buf=0x62c000000200 "\320\317\021\340\241\261\032\341", '\060' <repeats 15 times>, ")000000\t0\026", '\060' <repeats 11 times>, "\001",
    size=<optimized out>, buffer_out=<optimized out>) at /root/libdoc-master/catdoc.c:55
#4  0x00000000004018eb in main (argc=2, argv=0x7fffffffe488) at main.c:23
(gdb)

FoundBy: [email protected]
@fgeek
Copy link

fgeek commented Jan 30, 2019

Someone requested CVE identifier for this issue and it got assigned CVE-2019-7156.

@kasha13
Copy link
Collaborator

kasha13 commented Jan 31, 2019
edited
Loading

CVE-2019-7156 #5 is fixed. Thank you.

@kasha13 kasha13 closed this as completed Jan 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fgeek @kasha13 @wuk0n9