CHMLib 0.40a Integer Overflow in _unmarshal_int32 / _unmarshal_uint32 During CHM Header Parsing
CHMLib 0.40版本在解析恶意CHM文件时存在整数溢出漏洞。由于未正确处理有符号整数的左移操作,可能导致应用崩溃或内存管理错误。该漏洞影响KDE、GNOME等使用CHMLib的工具。 2025-9-16 03:1:19 Author: seclists.org(查看原文) 阅读量:2 收藏
CHMLib 0.40版本在解析恶意CHM文件时存在整数溢出漏洞。由于未正确处理有符号整数的左移操作,可能导致应用崩溃或内存管理错误。该漏洞影响KDE、GNOME等使用CHMLib的工具。 2025-9-16 03:1:19 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 14:54:32 -0400
A vulnerability exists in CHMLib (latest release 0.40) when parsing
malformed CHM (Compiled HTML Help) files. The functions _unmarshal_int32
and _unmarshal_uint32 reconstruct 32-bit values using left shifts on signed
integers without proper type casting: *dest = (*pData)[0] | (*pData)[1]<<8
| (*pData)[2]<<16 | (*pData)[3]<<24; If an attacker supplies crafted input
such that the most significant byte is 0xFF, this triggers a left shift of
255 by 24 bits on a signed int, which is undefined behavior in C. This
results in integer overflow, leading to corrupted metadata when parsing
ITSF/ITSP headers. The malformed values propagate into downstream logic,
causing incorrect length calculations, crashes, or memory mismanagement.
*Impact*
- Application crashes when parsing malicious CHM files.
- Invalid integer values may cause logic errors in decompression.
- While primarily a stability issue, corrupted values may form the basis
for further memory safety violations (depending on allocator state and
calling context). Applications embedding CHMLib (e.g., KDE’s KChmViewer,
GNOME CHM viewers, xchm, and other tools) are affected.
*Proof of Concept:*
ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \
UBSAN_OPTIONS=print_stacktrace=1 \
./chmextract /root/CHMLib/malformed_pmgl.chm /tmp/out_malformed
*Output:*
chm_lib.c:272:73: runtime error: left shift of 255 by 24 places cannot be
represented in type 'int'
#0 0xaaaae8f17b00 in _unmarshal_uint32 /root/CHMLib/src/chm_lib.c:272:73
#1 0xaaaae8f02104 in _unmarshal_itsp_header
/root/CHMLib/src/chm_lib.c:458:5
#2 0xaaaae8f02104 in chm_open /root/CHMLib/src/chm_lib.c:843:10
#3 0xaaaae8f00a7c in main /root/CHMLib/src/extract_chmLib.c:184:9
#4 0xffff947f2290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0xffff947f2374 in __libc_start_main csu/../csu/libc-start.c:360:3
#6 0xaaaae8e205ac in _start (/root/CHMLib/src/chmextract+0x405ac)
(BuildId: c3376fd09cabf1b5e4901002039ac179cafe58ec)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CHMLib 0.40a Integer Overflow in _unmarshal_int32 / _unmarshal_uint32 During CHM Header Parsing Ron E (Sep 15)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/47
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh