[sword-devel] Major Sword bug found -- buffer overflow

DM Smith dmsmith555 at yahoo.com
Wed Mar 1 05:59:14 MST 2006 

Martin,
You have the flow of events incorrect. Compression is last on building. 
Decompression is first on reading.

It could be that it is experiencing the same bug I encountered in 
JSword. I'll check (as it is a one line change)

Martin Gruner wrote:
> Hi,
>
> when testing the new GerHfa2002 module, I discovered a major bug in sword. I 
> tried to open the locked module without having the key yet. In some chapters 
> garbage text shows up which clearly belongs not to the module, but to other 
> parts of the address space of BibleTime.
>
> IIRC, in Sword, module encryption works like this
>
> raw text -> compression -> encryption
>   
raw text -> encryption -> compression
encryption does not change the size of the file.
> This is supposed to strengthen the encryption. But if you don't have the 
> encryption key, then the decryption can't work:
>
> decryption -> decompression -> raw text
>   
decompression -> decryption -> raw text

Actually, if anyone cares to know, there is no difference between 
encryption and decryption.

> Since decryption does not work, decompression tries to uncompress the 
> encrypted text (that's what I guess here). This sometimes leads to buffer 
> overflows (not deterministic). For example, I had this text in Joshua 1 in 
> BibleTime:
>
> 1  2  3 b   4  5  6 o 7  8 r-Verlag" and "Friedrich Reinhardt Verlag", we are 
> able to distribute (for missionary purposes) the text of the LOSUNG 
> ("Watchwords" -selected Old and New Testamtent texts-) as freeware. I am very 
> glad about this opportunity, and with all my heart I give thanks to our great 
> God. I am also grateful to all those sustaining this missionary opportunity 9 
> in prayer. Their part is crucial.\par\parThis free version on disk displays 
> only the Old and New Testament verses. The publisher "H�nssler-Verlag" in 
> Germany offers a disk version 10 for sale (in German), which displays 
> additional text from the printed booklet.\par\parEach user and distributor of 
> this disk must adhere to the license agreement below:\par\par You may 
> distribute the content of this disk or program package only in unmodified 
> form. You must not remove, modify, or pass along any files separately.
> \par\par Via BBS you m 12 ay distribute individual program packets, such as: 
> \par\par winlos99.exe \par doslos99.exe \par os2los99.zip \par atalsg99.zip 
> \par etc.. \par\par The same restriction applies here, as well: \par\par 
> Distribution of the LOSUNG ("Watchwords") texts without their respective 
> display programs is not permitted. You must not alter the content of the 
> texts.\par\par The programs themselves are copyrighted (German 
> "Urheberrecht") for the benefit of their progr 13 am authors. See program 
> documentation for details.\par\parAdditionally, the following applies:
> \par\par the LOSUNG ("Watchwords") may be used exclusively by the name 
> "LOSUNG" with the freeware programs provided, and may only be distributed 
> free of charge. \par advertisement, distribution for profit, and distribution 
> through commercial companies, is prohibited. \par you must not use or 
> incorporate the freeware LOSUNG ("Watchwords") texts in any other software 
> program (e.g. an or 15 ganizer program), unless the sole function of the 
> program is to display the LOSUNG ("Watchwords") text on the screen. 
> \par\parImportant Copyright Information regarding the English Bible Texts:
> \par\par The Text of the "AUTHORIZED VERSION" (popularly known as the "King 
> Jam 16 es Version") is in the Public Domain.\par\par The NEW INTERNATIONAL 
> VERSION (often abbreviated as "NIV")\par "Scripture t 17 aken from the HOLY 
> BIBLE, NEW INTERNATIONAL VERSION (R)\par Copyright (C) 1973, 1978, 1984\par 
> 18 by International Bible Society.\par Used by permission of Zondervan 
> Publishing House.\par All rights reserved."\par\par T
>
> This obviously comes from other parts of BibleTime's address space. Try 
> "mod2imp GerHfa2002" and you might see places where this happens. The 
> GerHfaLex2002 module crashes BibleTime on my system, perhaps because the 
> decompressor tries to access memory that is outside of BibleTime's address 
> space.
> The console always spits out warnings like:
>
> no room in outbuffer to during decompression. see zipcomp.cpp
> no room in outbuffer to during decompression. see zipcomp.cpp
>
> I don't know how the decompression algorithms and Sword's design in this 
> regard work. Perhaps somebody wants to investigate? This is both a stability 
> and a security problem.
>
> Martin
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
>
>

More information about the sword-devel mailing list