xorl %eax, %eax

CVE-2010-4261: ClamAV icon_cb() off-by-one

with 3 comments

A new version of ClamAV (0.96.5) was released on 29 November 2010. Among other patches, the new release includes an off-by-one fix located at libclamav/pe_icons.c in the function below.

struct ICONS {
    unsigned int cnt;
    uint32_t rvas[100];

static int icon_cb(void *ptr, uint32_t type, uint32_t name, uint32_t lang, uint32_t rva) {
    struct ICONS *icons = ptr;
    type = type; lang = lang;
    cli_dbgmsg("icon_cb: got icon %x\n", name);
    if(icons->cnt > 100) 
        return 1;
    icons->rvas[icons->cnt] = rva;
    return 0;

Before updating the ‘rvas[]’ array and incrementing the icon’s counter there is a check. It checks that the current counter’s value isn’t greater than 100 which is the number of values that ‘rvas[]’ array can hold. However, it doesn’t check for values equal to 100 meaning that a malicious user could provide a specially crafted icon to write an ‘uint32_t’ integer beyond buffer’s bounds.
To fix this, the patch was:

     cli_dbgmsg("icon_cb: got icon %x\n", name);
-    if(icons->cnt > 100) 
+    if(icons->cnt >= 100)
        return 1;

Written by xorl

December 5, 2010 at 23:23

Posted in vulnerabilities

3 Responses

Subscribe to comments with RSS.

  1. Are off-by-one still exploitable?


    December 5, 2010 at 23:56

  2. It depends. sometimes they are.
    I don’t know about this one though, I haven’t test it yet.


    December 6, 2010 at 00:02

  3. Yes, they are.


    December 6, 2010 at 18:52

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: