CVE-2010-4261: ClamAV icon_cb() off-by-one
A new version of ClamAV (0.96.5) was released on 29 November 2010. Among other patches, the new release includes an off-by-one fix located at libclamav/pe_icons.c in the function below.
struct ICONS {
unsigned int cnt;
uint32_t rvas[100];
};
static int icon_cb(void *ptr, uint32_t type, uint32_t name, uint32_t lang, uint32_t rva) {
struct ICONS *icons = ptr;
type = type; lang = lang;
cli_dbgmsg("icon_cb: got icon %x\n", name);
if(icons->cnt > 100)
return 1;
icons->rvas[icons->cnt] = rva;
icons->cnt++;
return 0;
}
Before updating the ‘rvas[]’ array and incrementing the icon’s counter there is a check. It checks that the current counter’s value isn’t greater than 100 which is the number of values that ‘rvas[]’ array can hold. However, it doesn’t check for values equal to 100 meaning that a malicious user could provide a specially crafted icon to write an ‘uint32_t’ integer beyond buffer’s bounds.
To fix this, the patch was:
cli_dbgmsg("icon_cb: got icon %x\n", name);
- if(icons->cnt > 100)
+ if(icons->cnt >= 100)
return 1;

Are off-by-one still exploitable?
Anon
December 5, 2010 at 23:56
It depends. sometimes they are.
I don’t know about this one though, I haven’t test it yet.
xorl
December 6, 2010 at 00:02
Yes, they are.
Kaspar
December 6, 2010 at 18:52