Bug 1601236
| Summary: | global-buffer-overflow in copy_unicode_string in xlsparse.c | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | rookie <92wyunchao> | ||||
| Component: | catdoc | Assignee: | Robert Scheck <redhat-bugzilla> | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | epel7 | CC: | adel.gadllah, redhat-bugzilla | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1458984 [details] poc to reproduce the crash Description of problem: There exists one global-buffer-overflow bug in copy_unicode_string in xlsparse.c in catdoc0.95 which allows attacker to cause a denial-of-service or possibly have other unspecified impact via a crafted xls file.This vulnerability can be triggered by the executable xls2csv. Version-Release number of selected component (if applicable): Steps to Reproduce: 1.xls2csv $poc 2. 3. Actual results: ASan: ==15166==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013ac550 at pc 0x0000004efb7a bp 0x7ffcd5c98230 sp 0x7ffcd5c98228 READ of size 1 at 0x0000013ac550 thread T0 #0 0x4efb79 in copy_unicode_string /home/s2e/catdoc-0.95/src/xlsparse.c:493 #1 0x4ee0bc in process_item /home/s2e/catdoc-0.95/src/xlsparse.c:228 #2 0x4ed291 in do_table /home/s2e/catdoc-0.95/src/xlsparse.c:116 #3 0x4eb211 in main /home/s2e/catdoc-0.95/src/xls2csv.c:167 #4 0x7f9cb219b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #5 0x419048 in _start (/home/s2e/catdoc-0.95/src/xls2csv+0x419048) 0x0000013ac550 is located 0 bytes to the right of global variable 'rec' defined in 'xlsparse.c:22:22' (0x13a7f00) of size 18000 SUMMARY: AddressSanitizer: global-buffer-overflow /home/s2e/catdoc-0.95/src/xlsparse.c:493 in copy_unicode_string Shadow bytes around the buggy address: 0x00008026d850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026d860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026d870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008026d890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x00008026d8a0: 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 0x00008026d8b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x00008026d8c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x00008026d8d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x00008026d8e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x00008026d8f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9