New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A heap-buffer-overflow in icaltime_from_string #251
Comments
|
Can you attach icaltestparser.c so I don't have to write my own test harness? I believe I already have a fix for this. |
|
Never mind. I didn't realize you were using the harness in libical |
|
Proposed patch: diff --git a/src/libical/icaltime.c b/src/libical/icaltime.c
|
|
Markdown seems to have mangled your patch, can you please fix it? |
|
verified that Ken's patch fixes the overflow. but now we get stuck in an infinite loop in icalparser |
|
This fixes the infinite loop. Note that icaltestparser.c leaks the parsed component(s) (verified by Valgrind) |
|
I just committed a fix to icaltestparser.c that fixes the stuff that it was leaking directly. A component is still being leaked when the iCalendar is incomplete/bogus. Still tracking this one down. Should I commit my icaltime.c and icalparser.c fixes? |
|
yes please commit. And you can close this issue too. |
|
hehe.. I see the leak and coverity had found it previously. and I cheated and added a /* coverity[leaked_storage] */ comment so Coverity wouldn't complain. yeah, if you nice if you can fix that leak. |
|
The leak wasn't where you thought. It was easy to find once I compiled a debug version of libical (I was guessing before) |
|
Just to cross-reference data, this is supposed to be CVE-2016-5824 that was also reported to mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 This is according to http://www.openwall.com/lists/oss-security/2017/01/20/16 |
Hello, we recently found a memory issue parsing and executing fuzzed ical file in last revision of libical (#19acf43794ad4c99f7e6687cb39424a82b737828).
We tested this issue on Ubuntu 14.04 but other configurations could be affected.
Technical details about the issue are:
gdb backtrace is as follows:
This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
The text was updated successfully, but these errors were encountered: