Full Disclosure mailing list archives

An integer overflow vulnerability exists in the LZX decompression routines
of CHMLib (tested in version 0.40, latest release as of 2025). The issue
occurs within lzx.c during bitstream parsing (lzx_read_lens and
LZXdecompress), where crafted CHM files can supply values that cause
left-shift operations to exceed the representable range of 32-bit signed
integers. When processing malformed compressed blocks, operations such as:
leaf = pos >> 16; table[(next_symbol << 1)] = 0; bitbuf |=
((inpos[1]<<8)|inpos[0]) << (ULONG_BITS-16 - bitsleft); perform shifts on
large values (value << 16), triggering undefined behavior. This corrupts
the Huffman decode tables and decompression state.


*Impact:*

   - Crafted CHM files can crash applications using CHMLib by causing
   failures or illegal memory operations during decompression.
   - Although direct heap overflows were not observed in this testing, the
   corrupted decompression state (match_length, match_offset) could under
   certain inputs lead to out-of-bounds reads or writes.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./chmextract crafted_overflow_lzx.chm /tmp/out


*Observed errors:*

lzx.c:663:37: runtime error: left shift of 39074 by 16 places cannot be
represented in type 'int'

lzx.c:569:25: runtime error: left shift of 53200 by 16 places cannot be
represented in type 'int'

lzx.c:440:9: runtime error: left shift of 63471 by 16 places cannot be
represented in type 'int'
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• CHMLIB 0.40a Integer Overflow in LZX Decompression of CHMLib Ron E (Sep 15)