CVE-2010-4261: ClamAV icon_cb() off-by-one

A new version of ClamAV (0.96.5) was released on 29 November 2010. Among other patches, the new release includes an off-by-one fix located at libclamav/pe_icons.c in the function below.

struct ICONS {
    unsigned int cnt;
    uint32_t rvas[100];
};

static int icon_cb(void *ptr, uint32_t type, uint32_t name, uint32_t lang, uint32_t rva) {
    struct ICONS *icons = ptr;
    type = type; lang = lang;
    cli_dbgmsg("icon_cb: got icon %x\n", name);
    if(icons->cnt > 100) 
        return 1;
    icons->rvas[icons->cnt] = rva;
    icons->cnt++;
    return 0;
}

Before updating the ‘rvas[]’ array and incrementing the icon’s counter there is a check. It checks that the current counter’s value isn’t greater than 100 which is the number of values that ‘rvas[]’ array can hold. However, it doesn’t check for values equal to 100 meaning that a malicious user could provide a specially crafted icon to write an ‘uint32_t’ integer beyond buffer’s bounds.
To fix this, the patch was:

     cli_dbgmsg("icon_cb: got icon %x\n", name);
-    if(icons->cnt > 100) 
+    if(icons->cnt >= 100)
        return 1;

3 Responses

Subscribe to comments with RSS.

Are off-by-one still exploitable?

Anon

December 5, 2010 at 23:56
It depends. sometimes they are.
I don’t know about this one though, I haven’t test it yet.

xorl

December 6, 2010 at 00:02
Yes, they are.

Kaspar

December 6, 2010 at 18:52

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

You are commenting using your Google+ account. ( Log Out / Change )

Cancel

Connecting to %s

xorl %eax, %eax