Commit | Line | Data |
---|---|---|
bfcdf887 AV |
1 | Fix CVE-2017-11110: |
2 | ||
3 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11110 | |
4 | https://bugzilla.redhat.com/show_bug.cgi?id=1468471 | |
5 | https://security-tracker.debian.org/tracker/CVE-2017-11110 | |
6 | ||
7 | Patch copied from openSUSE: | |
8 | ||
9 | https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?expand=1 | |
10 | ||
11 | From: Andreas Stieger <astieger@suse.com> | |
12 | Date: Mon, 10 Jul 2017 15:37:58 +0000 | |
13 | References: CVE-2017-11110 http://bugzilla.suse.com/show_bug.cgi?id=1047877 | |
14 | ||
15 | All .doc I found had sectorSize 0x09 at offset 0x1e. Guarding it against <4. | |
16 | ||
17 | --- | |
18 | src/ole.c | 5 +++++ | |
19 | 1 file changed, 5 insertions(+) | |
20 | ||
21 | Index: catdoc-0.95/src/ole.c | |
22 | =================================================================== | |
23 | --- catdoc-0.95.orig/src/ole.c 2016-05-25 06:37:12.000000000 +0200 | |
24 | +++ catdoc-0.95/src/ole.c 2017-07-10 17:42:33.578308107 +0200 | |
25 | @@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si | |
26 | return NULL; | |
27 | } | |
28 | sectorSize = 1<<getshort(oleBuf,0x1e); | |
29 | + /* CVE-2017-11110) */ | |
30 | + if (sectorSize < 4) { | |
31 | + fprintf(stderr,"sectorSize < 4 not supported\n"); | |
32 | + return NULL; | |
33 | + } | |
34 | shortSectorSize=1<<getshort(oleBuf,0x20); | |
35 | ||
36 | /* Read BBD into memory */ | |
37 | @@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si | |
38 | } | |
39 | ||
40 | fseek(newfile, 512+mblock*sectorSize, SEEK_SET); | |
41 | - if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, | |
42 | + if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >= 4 for CVE-2017-11110 */ | |
43 | 1, sectorSize, newfile) != sectorSize) { | |
44 | fprintf(stderr, "Error read MSAT!\n"); | |
45 | ole_finish(); |