CVE-2010-4261: ClamAV icon_cb() off-by-one
A new version of ClamAV (0.96.5) was released on 29 November 2010. Among other patches, the new release includes an off-by-one fix located at libclamav/pe_icons.c in the function below.
struct ICONS { unsigned int cnt; uint32_t rvas[100]; }; static int icon_cb(void *ptr, uint32_t type, uint32_t name, uint32_t lang, uint32_t rva) { struct ICONS *icons = ptr; type = type; lang = lang; cli_dbgmsg("icon_cb: got icon %x\n", name); if(icons->cnt > 100) return 1; icons->rvas[icons->cnt] = rva; icons->cnt++; return 0; }
Before updating the ‘rvas[]’ array and incrementing the icon’s counter there is a check. It checks that the current counter’s value isn’t greater than 100 which is the number of values that ‘rvas[]’ array can hold. However, it doesn’t check for values equal to 100 meaning that a malicious user could provide a specially crafted icon to write an ‘uint32_t’ integer beyond buffer’s bounds.
To fix this, the patch was:
cli_dbgmsg("icon_cb: got icon %x\n", name); - if(icons->cnt > 100) + if(icons->cnt >= 100) return 1;
Are off-by-one still exploitable?
Anon
December 5, 2010 at 23:56
It depends. sometimes they are.
I don’t know about this one though, I haven’t test it yet.
xorl
December 6, 2010 at 00:02
Yes, they are.
Kaspar
December 6, 2010 at 18:52