OLE2: Fix integer overflow that may result in over read

An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
Cisco-Talos · Dec 20, 2023 · de27d4f · de27d4f
1 parent 4ec53d5
commit de27d4f
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c
@@ -84,7 +84,7 @@ typedef struct ole2_header_tag {
     unsigned char clsid[16];
     uint16_t minor_version __attribute__((packed));
     uint16_t dll_version __attribute__((packed));
-    int16_t byte_order __attribute__((packed));             /* -2=intel */
+    int16_t byte_order __attribute__((packed)); /* -2=intel */
 
     uint16_t log2_big_block_size __attribute__((packed));   /* usually 9 (2^9 = 512) */
     uint32_t log2_small_block_size __attribute__((packed)); /* usually 6 (2^6 = 64) */
@@ -134,7 +134,7 @@ typedef struct ole2_header_tag {
  * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/60fe8611-66c3-496b-b70d-a504c94c9ace
  */
 typedef struct property_tag {
-    char name[64];       /* in unicode */
+    char name[64]; /* in unicode */
     uint16_t name_size __attribute__((packed));
     unsigned char type;  /* 1=dir 2=file 5=root */
     unsigned char color; /* black or red */
@@ -2273,6 +2273,7 @@ static bool initialize_encryption_key(
 
     encryption_info_stream_standard_t encryptionInfo = {0};
     uint16_t *encryptionInfo_CSPName                 = NULL;
+    size_t CSPName_length                            = 0;
     const uint8_t *encryptionVerifierPtr             = NULL;
     encryption_verifier_t encryptionVerifier         = {0};
 
@@ -2402,14 +2403,24 @@ static bool initialize_encryption_key(
         goto done;
     }
 
-    for (idx = 0; idx * sizeof(uint16_t) < remainingBytes; idx++) {
+    while (true) {
+        // Check if we've gone past the end of the buffer without finding the end of the CSPName string.
+        if ((idx + 1) * sizeof(uint16_t) > remainingBytes) {
+            cli_dbgmsg("ole2: CSPName is missing null terminator before end of buffer.\n");
+            goto done;
+        }
+        // Check if we've found the end of the CSPName string.
         if (encryptionInfo_CSPName[idx] == 0) {
             break;
         }
+        // Found another character in the CSPName string, keep going.
+        idx++;
     }
 
-    encryptionVerifierPtr = (uint8_t*)encryptionInfo_CSPName + (idx + 1) * sizeof(uint16_t);
-    remainingBytes -= (idx * sizeof(uint16_t));
+    CSPName_length = (idx + 1) * sizeof(uint16_t);
+
+    encryptionVerifierPtr = (uint8_t *)encryptionInfo_CSPName + CSPName_length;
+    remainingBytes -= CSPName_length;
 
     if (remainingBytes < sizeof(encryption_verifier_t)) {
         cli_dbgmsg("ole2: No encryption_verifier_t\n");