Merge pull request #1458 from val-ms/CLAM-2696-ole2-decrypt-overread

val-ms · web-flow · commit 492e50507049 · 2025-02-24T13:22:43.000-05:00
Fix bounds check in OLE2 decryption
diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c
@@ -2130,7 +2130,7 @@ static cl_error_t handler_otf_encrypted(ole2_header_t *hdr, property_t *prop, co
             }
             bytesRead += blockSize;
 
-            for (; writeIdx <= (leftover + bytesToWrite) - 16; writeIdx += 16, decryptDstIdx += 16) {
+            for (; writeIdx + 16 <= leftover + bytesToWrite; writeIdx += 16, decryptDstIdx += 16) {
                 rijndaelDecrypt(rk, nrounds, &(buff[writeIdx]), &(decryptDst[decryptDstIdx]));
             }
 

Original file line number	Diff line number	Diff line change
`@@ -2130,7 +2130,7 @@ static cl_error_t handler_otf_encrypted(ole2_header_t hdr, property_t prop, co`
`2130`	`2130`	`}`
`2131`	`2131`	`bytesRead += blockSize;`
`2132`	`2132`
`2133`		`- for (; writeIdx <= (leftover + bytesToWrite) - 16; writeIdx += 16, decryptDstIdx += 16) {`
	`2133`	`+ for (; writeIdx + 16 <= leftover + bytesToWrite; writeIdx += 16, decryptDstIdx += 16) {`
`2134`	`2134`	`rijndaelDecrypt(rk, nrounds, &(buff[writeIdx]), &(decryptDst[decryptDstIdx]));`
`2135`	`2135`	`}`
`2136`	`2136`