Skip to content

A heap-buffer-overflow in icaltime_from_string #251

Closed
@agustinmista

Description

@agustinmista

Hello, we recently found a memory issue parsing and executing fuzzed ical file in last revision of libical (#19acf43794ad4c99f7e6687cb39424a82b737828).
We tested this issue on Ubuntu 14.04 but other configurations could be affected.
Technical details about the issue are:

==8557==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000caa3 at pc 0x7ffff7b187ce bp 0x7fffffff87f0 sp 0x7fffffff87e8
READ of size 1 at 0x60300000caa3 thread T0

gdb backtrace is as follows:

#0  0x00007ffff61cfc37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff61d3028 in __GI_abort () at abort.c:89
#2  0x00000000004b12b6 in __sanitizer::Abort() ()
#3  0x00000000004a1f97 in __asan::AsanDie() ()
#4  0x00000000004a89cf in __sanitizer::Die() ()
#5  0x00000000004a062b in __asan::ScopedInErrorReport::~ScopedInErrorReport() ()
#6  0x00000000004a0171 in __asan_report_error ()
#7  0x00000000004a0db7 in __asan_report_load1 ()
#8  0x00007ffff7b187ce in icaltime_from_string (str=<optimized out>)
    at /home/agustin/Code/libical/src/libical/icaltime.c:448
#9  0x00007ffff7b5756f in icalvalue_new_from_string_with_error (kind=<optimized out>, 
    str=<optimized out>, error=<optimized out>)
    at /home/agustin/Code/libical/src/libical/icalvalue.c:637
#10 0x00007ffff7b548db in icalvalue_new_from_string (kind=ICAL_DATETIME_VALUE, 
    str=0x60300000ca90 "18640529T011608z")
    at /home/agustin/Code/libical/src/libical/icalvalue.c:756
#11 0x00007ffff7ad080a in icalparser_add_line (parser=<optimized out>, 
    line=<optimized out>) at /home/agustin/Code/libical/src/libical/icalparser.c:1147
#12 0x00000000004b8c3f in main (argc=2, argv=0x7fffffffdf08)
    at /home/agustin/Code/libical/src/test/icaltestparser.c:104

This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions