[Clamav-devel] Bug in OLE2 file parser

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Trog at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Victor Stinner
Date:  
To: clamav-devel
Subject: [Clamav-devel] Bug in OLE2 file parser
Hi,

I'm doing fuzzing tests on many programs. Yesterdays I tried ClamAV. I found a
bug in ole2 parser which can lead to DoS: eat 2 GB on hard drive and use CPU
during many minutes.

I built a .doc file of 87 KB with a property of 2 GB. The problem is that
property size is not checked. I don't know ClamAV but I think that size
bigger than 1 GB (or smaller) may be rejected. So OLE2 file with a property
size bigger than N bytes have to be rejected (N = min(filesize, maxsize)).

There is two problem:
- max property size
- loop in block chain

To build a 87 KB with a 2 GB property I created an unlimited chain in FAT
partition. So to fix the bug you can/should also check loop in block chain.

Contact me directly if you're a developer of ClamAV and you want my file.

Victor
-- 
Victor Stinner aka haypo
http://hachoir.org/
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net


This message was posted to the following mailing lists:
clamav-devel
Mailing List Info | Nearby Messages		<-[Clamav-devel] ClamAV large files supportRe: [Clamav-devel] Bug in OLE2 file parser->
ClamAV Mailing List Archive administrated by Luca GibelliLurker (version 2.1)