Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 10:23:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix benign 1-byte buffer over-write in OLE2 parser

Browse source 
The office art structure for OLE2 documents records the file name
length using a `uint8_t`, meaning the name may be up to 255 bytes in
length, not including the null terminating byte. If the length is
255 then the parser will write the null-terminating byte just after
the end of the name buffer on the stack.

This issue does not cause a crash and is not a vulnerability.

This fix extends the size of stack array to account for the null
terminator.

Thank you Michał Dardas for reporting this issue.
This commit is contained in:
ragusaa 2022-04-04 18:29:03 -04:00 committed by GitHub
parent d209051073
commit 2c91aa741e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libclamav/xlm_extract.c
View file

@ -4441,7 +4441,7 @@ cl_error_t process_blip_store_container(const unsigned char *blip_store_containe
const unsigned char *embeddedBlip;
size_t embeddedBlip_size;
char *blip_file_name = NULL;
char blip_name_buffer[255] = {0};
char blip_name_buffer[256] = {0};
if (FBSE_record_data->cbName > 0) {
memcpy(blip_name_buffer,