Buffer overflow in create_stream
The attached file, overflow.msi, causes msiinfo
to crash on 32-bit platforms:
$ gdb --args msiinfo extract overflow.msi Property
(gdb) run
Starting program: /usr/bin/msiinfo extract overflow.msi Property
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-CRITICAL **: 15:11:28.513: ole_dirent_new: assertion 'entry <= G_MAXUINT / DIRENT_SIZE' failed
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: A non directory stream with children ?
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: A non directory stream with children ?
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: A non directory stream with children ?
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: A non directory stream with children ?
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: A non directory stream with children ?
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: A non directory stream with children ?
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0xffffffff instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: Invalid metabat item 30303030
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000030 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000030 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000030 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000030 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000000 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000030 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000000 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
(msiinfo:24688): libgsf:msole-WARNING **: 15:11:28.513: This OLE2 file is invalid.
The Block Allocation Table for one of the streams had 0x00000030 instead of a terminator (0xfffffffe).
We might still be able to extract some data, but you'll want to check the file.
** (msiinfo:24688): CRITICAL **: 15:11:28.513: string table corrupt?
** (msiinfo:24688): CRITICAL **: 15:11:28.513: string table load failed! (00000430 != 00000000), please report
*** stack smashing detected ***: <unknown> terminated
Program received signal SIGABRT, Aborted.
0xf7fd3069 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fd3069 in __kernel_vsyscall ()
#1 0xf79f0382 in __libc_signal_restore_set (set=0xffffb0bc) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
#2 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3 0xf79da2b6 in __GI_abort () at abort.c:79
#4 0xf7a31d2c in __libc_message (action=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
#5 0xf7acc0ee in __GI___fortify_fail_abort (need_backtrace=false, msg=0xf7b421e3 "stack smashing detected") at fortify_fail.c:28
#6 0xf7acc09b in __stack_chk_fail () at stack_chk_fail.c:29
#7 0xf7f5f554 in __stack_chk_fail_local () from /usr/lib/i386-linux-gnu/libmsi.so.0
#8 0xf7f56932 in create_stream (sv=sv@entry=0x5657fce0, name=0xffffb4ce '〰' <repeats 24 times>,
name@entry=0x5657e360 '〰' <repeats 24 times>, encoded=encoded@entry=true, stm=0x56569ab8) at ../libmsi/streams.c:75
#9 0xf7f56b89 in add_stream_to_table (name=0x5657e360 '〰' <repeats 24 times>, stm=0x56569ab8, opaque=0x5657fce0)
at ../libmsi/streams.c:370
#10 0xf7f4d282 in msi_enum_db_streams (db=0x5656ac00, fn=0xf7f56b60 <add_stream_to_table>, opaque=0x5657fce0)
at ../libmsi/libmsi-database.c:434
#11 0xf7f56f40 in add_streams_to_table (sv=0x5657fce0) at ../libmsi/streams.c:391
#12 streams_view_create (db=0x5656ac00, view=0x5657fcc4) at ../libmsi/streams.c:407
#13 0xf7f5b3b0 in table_view_create (db=0x5656ac00, name=<optimized out>, view=0x5657fcc4) at ../libmsi/table.c:1993
#14 0xf7f5f2cd in where_view_create (db=0x5656ac00, view=0xffffb680, tables=0x5657e2a8 "_Streams", cond=0x5657fc68)
at ../libmsi/where.c:1125
#15 0xf7f49c9b in sql_parse (info=<optimized out>) at ../libmsi/sql-parser.y:520
#16 0xf7f49f94 in _libmsi_parse_sql (db=0x5656ac00, command=0x56566d30 "SELECT `Data` FROM `_Streams` WHERE `Name` = ?",
phview=0x5657ee0c, mem=0x5657ee1c) at ../libmsi/sql-parser.y:1016
#17 0xf7f51ee8 in init (error=0xffffcf78, self=0x5657ee00) at ../libmsi/libmsi-query.c:670
#18 libmsi_query_new (database=0x5656ac00, query=0x56558724 "SELECT `Data` FROM `_Streams` WHERE `Name` = ?", error=0xffffcf78)
at ../libmsi/libmsi-query.c:670
#19 0x56557932 in cmd_extract (cmd=0x5655b068 <cmds+72>, argc=3, argv=0xffffd048, error=0xffffcf78) at ../tools/msiinfo.c:369
#20 0x565563d1 in main (argc=4, argv=0xffffd044) at ../tools/msiinfo.c:770
Forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871503