CVE-2022-29358: Integer overflow bug in _parse_special_tag function, sxmlc.c · Issue #22 · kevinboone/epub2txt2

Hi, there is a integer overflow bug in _parse_special_tag function, sxmlc.c.

static TagType _parse_special_tag(const SXML_CHAR* str, int len, _TAG* tag, XMLNode* node)

{

if (sx_strncmp(str, tag->start, tag->len_start))

return TAG_NONE;

if (sx_strncmp(str + len - tag->len_end, tag->end, tag->len_end)) /* There probably is a ‘>’ inside the tag */

return TAG_PARTIAL;

node->tag = __malloc((len - tag->len_start - tag->len_end + 1)*sizeof(SXML_CHAR));

if (node->tag == NULL)

return TAG_ERROR;

sx_strncpy(node->tag, str + tag->len_start, len - tag->len_start - tag->len_end);

node->tag[len - tag->len_start - tag->len_end] = NULC;

node->tag_type = tag->tag_type;

return node->tag_type;

}

It passes ((len - tag->len_start - tag->len_end + 1)*sizeof(SXML_CHAR)) as a parameter to malloc function.
If (len - tag->len_start - tag->len_end) == -1, then (len - tag->len_start - tag->len_end + 1) == 0.
It is legal to use 0 as an argument to the malloc function, and it will return the address of a small heap successfully.

However, in line 1214, it passes (len - tag->len_start - tag->len_end) as a parameter to strncpy function.
-1 will be coerced to an unsigned integer: 0xffffffffffffffff. It is a huge size and will make the program crashed.

poc:
poc.zip

To reproduce:

$ wget https://github.com/kevinboone/epub2txt2/files/8482640/poc.zip
......
$ unzip poc.zip
Archive:  poc.zip
  inflating: poc
$ ls
epub2txt  poc  poc.zip
$ ./epub2txt --version
epub2txt version 2.04
Copyright (c)2013-2022 Kevin Boone and contributors
Distributed under the terms of the GNU Public Licence, v3.0
$ ./epub2txt poc
/tmp/epub2txt5552/OPS/epb.opf  bad CRC cb87c959  (should be 0192f2f4)
Segmentation fault (core dumped)

The epub2txt is built with:

git clone https://github.com/kevinboone/epub2txt2 && cd epub2txt2
make && sudo make install

Tested on: Ubuntu 20.04