We're using libripmime in our application and I found a problem.
A mail msg came through the other day that caused the tnef
decoding to segfault. I'm using the latest version 1.4.dev,
released on 12/1.
I enabled the debugging, and got the following output:
tnef.c:771:TNEF_main:DEBUG: Start, decoding 1102002911.10656/winmail.dat
tnef.c:823:TNEF_main:DEBUG: Read 4626 bytes
tnef.c:695:TNEF_decode_tnef:DEBUG: Start. Size = 4626
tnef.c:706:TNEF_decode_tnef:DEBUG: TNEF signature is good
tnef.c:719:TNEF_decode_tnef:DEBUG: TNEF Attach Key: c0f
tnef.c:729:TNEF_decode_tnef:DEBUG: TNEF - Commence reading attributes
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 6
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 6, bytes=13)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 561158
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 21
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 21, bytes=17)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 430087
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 40
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 40, bytes=11)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 294925
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 53
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 53, bytes=23)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 229381
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 78
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 78, bytes=23)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 229408
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 103
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 103, bytes=42)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 98313
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 147
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 147, bytes=4477)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 430083
tnef.c:246:TNEF_read_32:ERROR: Attempting to read beyond end of memory block
tnef.c:246:TNEF_read_32:ERROR: Attempting to read beyond end of memory block
tnef.c:246:TNEF_read_32:ERROR: Attempting to read beyond end of memory block
and right here it gets a SIGSEGV.
Doing a stack trace in gdb shows:
#0 0x4207a453 in strlen () from /lib/tls/libc.so.6
#1 0x4204752d in vfprintf () from /lib/tls/libc.so.6
#2 0x42069fb4 in vsnprintf () from /lib/tls/libc.so.6
#3 0x4204f154 in snprintf () from /lib/tls/libc.so.6
#4 0x0806dbad in make_string (tsp=0x884f97c <Address 0x884f97c out of bounds>,
size=7929956) at tnef.c:300
#5 0x0806ddfa in handle_props (tsp=0x80bf814 "8") at tnef.c:390
#6 0x0806e25a in read_attribute (tsp=0x80bf80b "\001\003\220\006") at tnef.c:630
#7 0x0806e409 in TNEF_decode_tnef (tnef_stream=0x80bf778 "x\237>\"\017\f\001\006\220\b", size=4626) at tnef.c:733
So basically, when make_string() was changed to use snprintf, it
broke. "tsp" being passed to snprintf is outside the proper
address space, and stdio routines don't like that. When it calls
handle_props() and gets to PT_STRING8, it calls read_32, which
now has error checking, but the return value in handle_props()
doesn't check it. So tsp now has a bad value, which gets passed
to make_string(). In version 4.1.0.1 and earlier, it didn't segfault,
just printed a bunch more error lines and went on.
I'd try to fix it myself, but I don't know anything about the TNEF
file format, so I don't know what the right thing to do would be
in the case of this error (just return?, still loop through the
other properties?). Is there a place on the web that describes it?
I found another mail msg the other day that causes a segfault in ripOLE,
but I'll save that for another msg. I've got both TNEF and OLE decoding
turned off for now, but I thought I'd bring it to your attention.
Brian Bebeau
Mycom Group, Inc.
bbebeau@mycom.com
----------------------------------------------------------------------------------------------
This message has been scanned by mycomPRO mailMAX II.
For further information, visit http://www.mycompro.com
_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general
A mail msg came through the other day that caused the tnef
decoding to segfault. I'm using the latest version 1.4.dev,
released on 12/1.
I enabled the debugging, and got the following output:
tnef.c:771:TNEF_main:DEBUG: Start, decoding 1102002911.10656/winmail.dat
tnef.c:823:TNEF_main:DEBUG: Read 4626 bytes
tnef.c:695:TNEF_decode_tnef:DEBUG: Start. Size = 4626
tnef.c:706:TNEF_decode_tnef:DEBUG: TNEF signature is good
tnef.c:719:TNEF_decode_tnef:DEBUG: TNEF Attach Key: c0f
tnef.c:729:TNEF_decode_tnef:DEBUG: TNEF - Commence reading attributes
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 6
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 6, bytes=13)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 561158
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 21
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 21, bytes=17)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 430087
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 40
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 40, bytes=11)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 294925
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 53
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 53, bytes=23)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 229381
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 78
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 78, bytes=23)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 229408
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 103
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 103, bytes=42)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 98313
tnef.c:732:TNEF_decode_tnef:DEBUG: Offset = 147
tnef.c:498:TNEF_read_attribute:DEBUG: Reading Attribute...
tnef.c:505:TNEF_read_attribute: Reading Size...
tnef.c:533:TNEF_read_attribute:DEBUG: Reading Checksum...(offset 147, bytes=4477)
tnef.c:537:TNEF_read_attribute:DEBUG: Decoding attribute 430083
tnef.c:246:TNEF_read_32:ERROR: Attempting to read beyond end of memory block
tnef.c:246:TNEF_read_32:ERROR: Attempting to read beyond end of memory block
tnef.c:246:TNEF_read_32:ERROR: Attempting to read beyond end of memory block
and right here it gets a SIGSEGV.
Doing a stack trace in gdb shows:
#0 0x4207a453 in strlen () from /lib/tls/libc.so.6
#1 0x4204752d in vfprintf () from /lib/tls/libc.so.6
#2 0x42069fb4 in vsnprintf () from /lib/tls/libc.so.6
#3 0x4204f154 in snprintf () from /lib/tls/libc.so.6
#4 0x0806dbad in make_string (tsp=0x884f97c <Address 0x884f97c out of bounds>,
size=7929956) at tnef.c:300
#5 0x0806ddfa in handle_props (tsp=0x80bf814 "8") at tnef.c:390
#6 0x0806e25a in read_attribute (tsp=0x80bf80b "\001\003\220\006") at tnef.c:630
#7 0x0806e409 in TNEF_decode_tnef (tnef_stream=0x80bf778 "x\237>\"\017\f\001\006\220\b", size=4626) at tnef.c:733
So basically, when make_string() was changed to use snprintf, it
broke. "tsp" being passed to snprintf is outside the proper
address space, and stdio routines don't like that. When it calls
handle_props() and gets to PT_STRING8, it calls read_32, which
now has error checking, but the return value in handle_props()
doesn't check it. So tsp now has a bad value, which gets passed
to make_string(). In version 4.1.0.1 and earlier, it didn't segfault,
just printed a bunch more error lines and went on.
I'd try to fix it myself, but I don't know anything about the TNEF
file format, so I don't know what the right thing to do would be
in the case of this error (just return?, still loop through the
other properties?). Is there a place on the web that describes it?
I found another mail msg the other day that causes a segfault in ripOLE,
but I'll save that for another msg. I've got both TNEF and OLE decoding
turned off for now, but I thought I'd bring it to your attention.
Brian Bebeau
Mycom Group, Inc.
bbebeau@mycom.com
----------------------------------------------------------------------------------------------
This message has been scanned by mycomPRO mailMAX II.
For further information, visit http://www.mycompro.com
_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general