From clamav-devel-bounces@lists.clamav.net  Wed Apr 18 13:11:44 2007
Return-Path: <clamav-devel-bounces@lists.clamav.net>
X-Original-To: list@tad.clamav.net
Delivered-To: list@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Fgxkv3ryO3bE; Wed, 18 Apr 2007 13:11:43 +0200 (CEST)
Received: from tad.clamav.net (localhost.localdomain [127.0.0.1])
	by tad.clamav.net (Postfix) with ESMTP id 04B9A16C065;
	Wed, 18 Apr 2007 13:11:43 +0200 (CEST)
X-Original-To: clamav-devel@tad.clamav.net
Delivered-To: clamav-devel@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dQuw+2piZl6u for <clamav-devel@tad.clamav.net>;
	Wed, 18 Apr 2007 13:11:41 +0200 (CEST)
Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42])
	by tad.clamav.net (Postfix) with ESMTP id 692E216C064
	for <clamav-devel@lists.clamav.net>;
	Wed, 18 Apr 2007 13:11:41 +0200 (CEST)
Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36])
	by postfix1-g20.free.fr (Postfix) with ESMTP id 325D9E16A05
	for <clamav-devel@lists.clamav.net>;
	Wed, 18 Apr 2007 13:11:41 +0200 (CEST)
Received: from [192.168.0.1] (neu67-4-88-160-66-91.fbx.proxad.net
	[88.160.66.91])
	by smtp6-g19.free.fr (Postfix) with ESMTP id 931646D468
	for <clamav-devel@lists.clamav.net>;
	Wed, 18 Apr 2007 13:11:40 +0200 (CEST)
From: Victor Stinner <victor.stinner@haypocalc.com>
To: clamav-devel@lists.clamav.net
Date: Wed, 18 Apr 2007 13:12:10 +0200
User-Agent: KMail/1.9.5
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200704181312.10283.victor.stinner@haypocalc.com>
Subject: [Clamav-devel] Bug in OLE2 file parser
X-BeenThere: clamav-devel@lists.clamav.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ClamAV Development <clamav-devel@lists.clamav.net>
List-Id: ClamAV Development <clamav-devel.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel>,
	<mailto:clamav-devel-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-devel@lists.clamav.net>
List-Help: <mailto:clamav-devel-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel>,
	<mailto:clamav-devel-request@lists.clamav.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: clamav-devel-bounces@lists.clamav.net
Errors-To: clamav-devel-bounces@lists.clamav.net

Hi,

I'm doing fuzzing tests on many programs. Yesterdays I tried ClamAV. I found a 
bug in ole2 parser which can lead to DoS: eat 2 GB on hard drive and use CPU 
during many minutes.

I built a .doc file of 87 KB with a property of 2 GB. The problem is that 
property size is not checked. I don't know ClamAV but I think that size 
bigger than 1 GB (or smaller) may be rejected. So OLE2 file with a property 
size bigger than N bytes have to be rejected (N = min(filesize, maxsize)).

There is two problem:
- max property size
- loop in block chain

To build a 87 KB with a 2 GB property I created an unlimited chain in FAT 
partition. So to fix the bug you can/should also check loop in block chain.

Contact me directly if you're a developer of ClamAV and you want my file.

Victor
-- 
Victor Stinner aka haypo
http://hachoir.org/
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net