New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix out-of-bounds reads when parsing some malformed headers #9

Merged
merged 4 commits into from Jul 31, 2017

Conversation

Projects
None yet
3 participants
@jwilk
Contributor

jwilk commented Jul 30, 2017

This fixes multiple bugs that made GMime read past the terminating null byte.

Reproducer:

From: <@[0
To: 0@[
Subject: =??
Content-Type: text/plain; charset="\

Found using American Fuzzy Lop.

jwilk added some commits Jul 30, 2017

Fix out-of-bounds read in decode_domain_literal()
If a malformed address ended right after dtext, the original code would
jump over the terminating null byte.
Fix out-of-bounds read in domain_literal_parse()
If a malformed address ended right after dtext, the original code would
read past the terminating null byte.
Fix out-of-bounds read in tokenize_rfc2047_phrase()
strchr("BbQq", ...) was meant to check for these four characters, but
it returns true also for the null byte.

If a header ended with the "=?<charset>?" sequence, the original code
would read past the terminating null byte.
Fix out-of-bounds read in decode_quoted_string()
If a malformed header ended right after backslash, the original code
would jump over the terminating null byte.
@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Jul 30, 2017

Coverage Status

Coverage decreased (-0.04%) to 56.221% when pulling c34f418 on jwilk-forks:oob into b29c54c on jstedfast:master.

coveralls commented Jul 30, 2017

Coverage Status

Coverage decreased (-0.04%) to 56.221% when pulling c34f418 on jwilk-forks:oob into b29c54c on jstedfast:master.

@jstedfast jstedfast merged commit f65a15a into jstedfast:master Jul 31, 2017

1 of 2 checks passed

coverage/coveralls Coverage decreased (-0.04%) to 56.221%
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@@ -1589,7 +1589,7 @@ domain_literal_parse (GString *str, const char **in)
skip_lwsp (&inptr);
do {
while (is_dtext (*inptr))
while (*inptr && is_dtext (*inptr))
g_string_append_c (str, *inptr++);

This comment has been minimized.

@jstedfast

jstedfast Jul 31, 2017

Owner

I wonder if is_dtext() could be fixed to bail on '\0'

@jstedfast

jstedfast Jul 31, 2017

Owner

I wonder if is_dtext() could be fixed to bail on '\0'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment