[Clamav-devel] Bug in OLE2 file parser

Top Page
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Victor Stinner
To: clamav-devel
Subject: [Clamav-devel] Bug in OLE2 file parser

I'm doing fuzzing tests on many programs. Yesterdays I tried ClamAV. I found a
bug in ole2 parser which can lead to DoS: eat 2 GB on hard drive and use CPU
during many minutes.

I built a .doc file of 87 KB with a property of 2 GB. The problem is that
property size is not checked. I don't know ClamAV but I think that size
bigger than 1 GB (or smaller) may be rejected. So OLE2 file with a property
size bigger than N bytes have to be rejected (N = min(filesize, maxsize)).

There is two problem:
- max property size
- loop in block chain

To build a 87 KB with a 2 GB property I created an unlimited chain in FAT
partition. So to fix the bug you can/should also check loop in block chain.

Contact me directly if you're a developer of ClamAV and you want my file.

Victor Stinner aka haypo
Please submit your patches to our Bugzilla: http://bugs.clamav.net