Subject: Bug in OLE2 file parser
Newsgroups: gmane.comp.security.virus.clamav.devel
Date: 2007-04-18 11:12:10 GMT (2 years, 11 weeks, 1 day, 18 hours and 19 minutes ago)
Hi, I'm doing fuzzing tests on many programs. Yesterdays I tried ClamAV. I found a bug in ole2 parser which can lead to DoS: eat 2 GB on hard drive and use CPU during many minutes. I built a .doc file of 87 KB with a property of 2 GB. The problem is that property size is not checked. I don't know ClamAV but I think that size bigger than 1 GB (or smaller) may be rejected. So OLE2 file with a property size bigger than N bytes have to be rejected (N = min(filesize, maxsize)). There is two problem: - max property size - loop in block chain To build a 87 KB with a 2 GB property I created an unlimited chain in FAT partition. So to fix the bug you can/should also check loop in block chain. Contact me directly if you're a developer of ClamAV and you want my file. Victor -- Victor Stinner aka haypo http://hachoir.org/ _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net