On 11/08/17 19:07, Sebastian Andrzej Siewior wrote:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419
[1]
https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1
Stuart, is this enough information or do you need more?
I'm interested in how the fix is to add a check to see if
window_posn+this_run wraps the window, immediately below a comment that
expressly states that won't happen, with the reasoning: this_run has
already been clamped to ensure it does not wrap a frame, and frames
don't wrap windows.
If this is incorrect reasoning, what part of the reasoning is wrong? Is
this_run somehow not being clamped to <=FRAME_SIZE through some code
path? If so, the fix is to clamp it. Is window size not a multiple of
frame size? If so, something is very wrong.
I'd be interested in seeing an example file that gets to this condition.
Also, if ClamAV made a change five months ago, and they're confident
it's a bug in libmspack.... why am I only finding out today?
Regards
Stuart
