[sword-devel] Major Sword bug found -- buffer overflow

DM Smith dmsmith555 at yahoo.com
Wed Mar 1 06:21:59 MST 2006 

Check line 41 of sapphire.cpp. Make sure that rsum is actually an 
unsigned byte and that it is handling integer overflow correctly. This 
is where I had a bug in the equivalent Java routine.

This code relies upon integer overflow happening correctly. It is safer 
to mask before using it for an index.

DM Smith wrote:
> Martin,
> You have the flow of events incorrect. Compression is last on 
> building. Decompression is first on reading.
>
> It could be that it is experiencing the same bug I encountered in 
> JSword. I'll check (as it is a one line change)
>
> Martin Gruner wrote:
>> Hi,
>>
>> when testing the new GerHfa2002 module, I discovered a major bug in 
>> sword. I tried to open the locked module without having the key yet. 
>> In some chapters garbage text shows up which clearly belongs not to 
>> the module, but to other parts of the address space of BibleTime.
>>
>> IIRC, in Sword, module encryption works like this
>>
>> raw text -> compression -> encryption
>>   
> raw text -> encryption -> compression
> encryption does not change the size of the file.
>> This is supposed to strengthen the encryption. But if you don't have 
>> the encryption key, then the decryption can't work:
>>
>> decryption -> decompression -> raw text
>>   
> decompression -> decryption -> raw text
>
> Actually, if anyone cares to know, there is no difference between 
> encryption and decryption.
>
>> Since decryption does not work, decompression tries to uncompress the 
>> encrypted text (that's what I guess here). This sometimes leads to 
>> buffer overflows (not deterministic). For example, I had this text in 
>> Joshua 1 in BibleTime:
>>
>> 1  2  3 b   4  5  6 o 7  8 r-Verlag" and "Friedrich Reinhardt 
>> Verlag", we are able to distribute (for missionary purposes) the text 
>> of the LOSUNG ("Watchwords" -selected Old and New Testamtent texts-) 
>> as freeware. I am very glad about this opportunity, and with all my 
>> heart I give thanks to our great God. I am also grateful to all those 
>> sustaining this missionary opportunity 9 in prayer. Their part is 
>> crucial.\par\parThis free version on disk displays only the Old and 
>> New Testament verses. The publisher "H�nssler-Verlag" in Germany 
>> offers a disk version 10 for sale (in German), which displays 
>> additional text from the printed booklet.\par\parEach user and 
>> distributor of this disk must adhere to the license agreement 
>> below:\par\par You may distribute the content of this disk or program 
>> package only in unmodified form. You must not remove, modify, or pass 
>> along any files separately.
>> \par\par Via BBS you m 12 ay distribute individual program packets, 
>> such as: \par\par winlos99.exe \par doslos99.exe \par os2los99.zip 
>> \par atalsg99.zip \par etc.. \par\par The same restriction applies 
>> here, as well: \par\par Distribution of the LOSUNG ("Watchwords") 
>> texts without their respective display programs is not permitted. You 
>> must not alter the content of the texts.\par\par The programs 
>> themselves are copyrighted (German "Urheberrecht") for the benefit of 
>> their progr 13 am authors. See program documentation for 
>> details.\par\parAdditionally, the following applies:
>> \par\par the LOSUNG ("Watchwords") may be used exclusively by the 
>> name "LOSUNG" with the freeware programs provided, and may only be 
>> distributed free of charge. \par advertisement, distribution for 
>> profit, and distribution through commercial companies, is prohibited. 
>> \par you must not use or incorporate the freeware LOSUNG 
>> ("Watchwords") texts in any other software program (e.g. an or 15 
>> ganizer program), unless the sole function of the program is to 
>> display the LOSUNG ("Watchwords") text on the screen. 
>> \par\parImportant Copyright Information regarding the English Bible 
>> Texts:
>> \par\par The Text of the "AUTHORIZED VERSION" (popularly known as the 
>> "King Jam 16 es Version") is in the Public Domain.\par\par The NEW 
>> INTERNATIONAL VERSION (often abbreviated as "NIV")\par "Scripture t 
>> 17 aken from the HOLY BIBLE, NEW INTERNATIONAL VERSION (R)\par 
>> Copyright (C) 1973, 1978, 1984\par 18 by International Bible 
>> Society.\par Used by permission of Zondervan Publishing House.\par 
>> All rights reserved."\par\par T
>>
>> This obviously comes from other parts of BibleTime's address space. 
>> Try "mod2imp GerHfa2002" and you might see places where this happens. 
>> The GerHfaLex2002 module crashes BibleTime on my system, perhaps 
>> because the decompressor tries to access memory that is outside of 
>> BibleTime's address space.
>> The console always spits out warnings like:
>>
>> no room in outbuffer to during decompression. see zipcomp.cpp
>> no room in outbuffer to during decompression. see zipcomp.cpp
>>
>> I don't know how the decompression algorithms and Sword's design in 
>> this regard work. Perhaps somebody wants to investigate? This is both 
>> a stability and a security problem.
>>
>> Martin
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>>
>>
>>   
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
>

More information about the sword-devel mailing list