-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A heap-use-after-free in icalreqstattype_as_string_r #253
Comments
I'm not sure how to fix this one without breaking other stuff. icaltypes.h says the following about the debug string: 'The In the case of icaltestparser.c we are certainly freeing the string before using it. |
this patch using the ring buffer based memory handling maybe?
|
That would probably work, but I wonder if we'd have the same issue that we had with rscale in a multi-threaded app |
This issue is know as CVE-2016-9584 according to http://www.openwall.com/lists/oss-security/2017/01/20/16 |
Does this fix both CVE-2016-9584 and CVE-2016-5824? |
yes. from what I can tell, both CVEs point to the same code problem. the patch I showed earlier in this issue is not the best solution, and I don't know if multithreaded apps will work properly with it. |
Any further thoughts? :) |
we don't have a proper fix yet. |
I committed the stat.debug = icalmemory_tmp_copy(p2 + 1); as shown in the earlier comments. I don't know if threaded apps will barf on this. let's close for now until someone finds a problem. |
A typo prevented the commit mentioned above to be linked to this issue. I'll add the link here to help future generations ;) 6b9438d |
Hello, we recently found a memory issue parsing and executing fuzzed ical file in last revision of libical (#19acf43794ad4c99f7e6687cb39424a82b737828).
We tested this issue on Ubuntu 14.04 but other configurations could be affected.
Technical details about the issue are:
gdb backtrace is as follows:
This issue was found using QuickFuzz, the file to reproduce it is attached.
Regards.
The text was updated successfully, but these errors were encountered: