1601236 – global-buffer-overflow in copy_unicode_string in xlsparse.c

Bug 1601236 - global-buffer-overflow in copy_unicode_string in xlsparse.c

Summary: global-buffer-overflow in copy_unicode_string in xlsparse.c

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	catdoc
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Robert Scheck
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-15 12:12 UTC by rookie
Modified:	2018-07-15 12:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
poc to reproduce the crash (5.14 KB, application/zip) 2018-07-15 12:12 UTC, rookie	no flags	Details
View All

Description rookie 2018-07-15 12:12:01 UTC

Created attachment 1458984 [details]
poc to reproduce the crash

Description of problem:
There exists one global-buffer-overflow bug in copy_unicode_string in xlsparse.c in catdoc0.95 which allows attacker to cause a denial-of-service or possibly have other unspecified impact via a crafted xls file.This vulnerability can be triggered by the executable xls2csv.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1.xls2csv $poc
2.
3.

Actual results:
ASan:
==15166==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013ac550 at pc 0x0000004efb7a bp 0x7ffcd5c98230 sp 0x7ffcd5c98228
READ of size 1 at 0x0000013ac550 thread T0
    #0 0x4efb79 in copy_unicode_string /home/s2e/catdoc-0.95/src/xlsparse.c:493
    #1 0x4ee0bc in process_item /home/s2e/catdoc-0.95/src/xlsparse.c:228
    #2 0x4ed291 in do_table /home/s2e/catdoc-0.95/src/xlsparse.c:116
    #3 0x4eb211 in main /home/s2e/catdoc-0.95/src/xls2csv.c:167
    #4 0x7f9cb219b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x419048 in _start (/home/s2e/catdoc-0.95/src/xls2csv+0x419048)

0x0000013ac550 is located 0 bytes to the right of global variable 'rec' defined in 'xlsparse.c:22:22' (0x13a7f00) of size 18000
SUMMARY: AddressSanitizer: global-buffer-overflow /home/s2e/catdoc-0.95/src/xlsparse.c:493 in copy_unicode_string
Shadow bytes around the buggy address:
  0x00008026d850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026d860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026d870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008026d890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008026d8a0: 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9
  0x00008026d8b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008026d8c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008026d8d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008026d8e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008026d8f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9

Note You need to log in before you can comment on or make changes to this bug.