CHMLIB 0.40a Integer Overflow in LZX Decompression of CHMLib

[Ron E <ronaldjedgerson () gmail com>]

An integer overflow vulnerability exists in the LZX decompression routines
of CHMLib (tested in version 0.40, latest release as of 2025). The issue
occurs within lzx.c during bitstream parsing (lzx_read_lens and
LZXdecompress), where crafted CHM files can supply values that cause
left-shift operations to exceed the representable range of 32-bit signed
integers. When processing malformed compressed blocks, operations such as:
leaf = pos >> 16; table[(next_symbol << 1)] = 0; bitbuf |=
((inpos[1]<<8)|inpos[0]) << (ULONG_BITS-16 - bitsleft); perform shifts on
large values (value << 16), triggering undefined behavior. This corrupts
the Huffman decode tables and decompression state.


*Impact:*

   - Crafted CHM files can crash applications using CHMLib by causing
   failures or illegal memory operations during decompression.
   - Although direct heap overflows were not observed in this testing, the
   corrupted decompression state (match_length, match_offset) could under
   certain inputs lead to out-of-bounds reads or writes.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./chmextract crafted_overflow_lzx.chm /tmp/out


*Observed errors:*

lzx.c:663:37: runtime error: left shift of 39074 by 16 places cannot be
represented in type 'int'

lzx.c:569:25: runtime error: left shift of 53200 by 16 places cannot be
represented in type 'int'

lzx.c:440:9: runtime error: left shift of 63471 by 16 places cannot be
represented in type 'int'
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/