lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-Gx_boWxfcS3BdherULxnMhHRGG=t_BDzZyw1+ZYe05+Jg@mail.gmail.com>
Date: Sat, 13 Sep 2025 14:47:27 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CHMLIB 0.40a Integer Overflow in LZX Decompression of CHMLib

An integer overflow vulnerability exists in the LZX decompression routines
of CHMLib (tested in version 0.40, latest release as of 2025). The issue
occurs within lzx.c during bitstream parsing (lzx_read_lens and
LZXdecompress), where crafted CHM files can supply values that cause
left-shift operations to exceed the representable range of 32-bit signed
integers. When processing malformed compressed blocks, operations such as:
leaf = pos >> 16; table[(next_symbol << 1)] = 0; bitbuf |=
((inpos[1]<<8)|inpos[0]) << (ULONG_BITS-16 - bitsleft); perform shifts on
large values (value << 16), triggering undefined behavior. This corrupts
the Huffman decode tables and decompression state.


*Impact:*

   - Crafted CHM files can crash applications using CHMLib by causing
   failures or illegal memory operations during decompression.
   - Although direct heap overflows were not observed in this testing, the
   corrupted decompression state (match_length, match_offset) could under
   certain inputs lead to out-of-bounds reads or writes.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./chmextract crafted_overflow_lzx.chm /tmp/out


*Observed errors:*

lzx.c:663:37: runtime error: left shift of 39074 by 16 places cannot be
represented in type 'int'

lzx.c:569:25: runtime error: left shift of 53200 by 16 places cannot be
represented in type 'int'

lzx.c:440:9: runtime error: left shift of 63471 by 16 places cannot be
represented in type 'int'
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ