[sword-devel] Major Sword bug found -- buffer overflow

[Martin Gruner]

Hi,

when testing the new GerHfa2002 module, I discovered a major bug in sword. I 
tried to open the locked module without having the key yet. In some chapters 
garbage text shows up which clearly belongs not to the module, but to other 
parts of the address space of BibleTime.

IIRC, in Sword, module encryption works like this

raw text -> compression -> encryption

This is supposed to strengthen the encryption. But if you don't have the 
encryption key, then the decryption can't work:

decryption -> decompression -> raw text

Since decryption does not work, decompression tries to uncompress the 
encrypted text (that's what I guess here). This sometimes leads to buffer 
overflows (not deterministic). For example, I had this text in Joshua 1 in 
BibleTime:

1  2  3 b   4  5  6 o 7  8 r-Verlag" and "Friedrich Reinhardt Verlag", we are 
able to distribute (for missionary purposes) the text of the LOSUNG 
("Watchwords" -selected Old and New Testamtent texts-) as freeware. I am very 
glad about this opportunity, and with all my heart I give thanks to our great 
God. I am also grateful to all those sustaining this missionary opportunity 9 
in prayer. Their part is crucial.\par\parThis free version on disk displays 
only the Old and New Testament verses. The publisher "Hänssler-Verlag" in 
Germany offers a disk version 10 for sale (in German), which displays 
additional text from the printed booklet.\par\parEach user and distributor of 
this disk must adhere to the license agreement below:\par\par You may 
distribute the content of this disk or program package only in unmodified 
form. You must not remove, modify, or pass along any files separately.
\par\par Via BBS you m 12 ay distribute individual program packets, such as: 
\par\par winlos99.exe \par doslos99.exe \par os2los99.zip \par atalsg99.zip 
\par etc.. \par\par The same restriction applies here, as well: \par\par 
Distribution of the LOSUNG ("Watchwords") texts without their respective 
display programs is not permitted. You must not alter the content of the 
texts.\par\par The programs themselves are copyrighted (German 
"Urheberrecht") for the benefit of their progr 13 am authors. See program 
documentation for details.\par\parAdditionally, the following applies:
\par\par the LOSUNG ("Watchwords") may be used exclusively by the name 
"LOSUNG" with the freeware programs provided, and may only be distributed 
free of charge. \par advertisement, distribution for profit, and distribution 
through commercial companies, is prohibited. \par you must not use or 
incorporate the freeware LOSUNG ("Watchwords") texts in any other software 
program (e.g. an or 15 ganizer program), unless the sole function of the 
program is to display the LOSUNG ("Watchwords") text on the screen. 
\par\parImportant Copyright Information regarding the English Bible Texts:
\par\par The Text of the "AUTHORIZED VERSION" (popularly known as the "King 
Jam 16 es Version") is in the Public Domain.\par\par The NEW INTERNATIONAL 
VERSION (often abbreviated as "NIV")\par "Scripture t 17 aken from the HOLY 
BIBLE, NEW INTERNATIONAL VERSION (R)\par Copyright (C) 1973, 1978, 1984\par 
18 by International Bible Society.\par Used by permission of Zondervan 
Publishing House.\par All rights reserved."\par\par T

This obviously comes from other parts of BibleTime's address space. Try 
"mod2imp GerHfa2002" and you might see places where this happens. The 
GerHfaLex2002 module crashes BibleTime on my system, perhaps because the 
decompressor tries to access memory that is outside of BibleTime's address 
space.
The console always spits out warnings like:

no room in outbuffer to during decompression. see zipcomp.cpp
no room in outbuffer to during decompression. see zipcomp.cpp

I don't know how the decompression algorithms and Sword's design in this 
regard work. Perhaps somebody wants to investigate? This is both a stability 
and a security problem.

Martin