invalid memory access in idna_to_ascii_8z

Sat, 28 Mar 2015 06:50:12 -0700 

Hello Simon,
 Robert reported some invalid memory access in gnutls, and one I traced
it back to libidn. A reproducer is attached. The reproducer uses strings
on the heap because valgrind doesn't seem to detect such accesses on the
stack. 

regards,
Nikos


==623== Invalid read of size 1
==623==    at 0x4E38E7F: g_utf8_to_ucs4_fast (nfkc.c:399)
==623==    by 0x4E38E7F: stringprep_utf8_to_ucs4 (nfkc.c:1023)
==623==    by 0x4E3A7DE: idna_to_ascii_8z (idna.c:578)
==623==    by 0x4005FD: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623==  Address 0x541105f is 1 bytes after a block of size 30 alloc'd
==623==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==623==    by 0x50E99D9: strdup (strdup.c:42)
==623==    by 0x4005E0: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623== 
==623== Invalid read of size 1
==623==    at 0x4E38E34: g_utf8_to_ucs4_fast (nfkc.c:444)
==623==    by 0x4E38E34: stringprep_utf8_to_ucs4 (nfkc.c:1023)
==623==    by 0x4E3A7DE: idna_to_ascii_8z (idna.c:578)
==623==    by 0x4005FD: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623==  Address 0x541105e is 0 bytes after a block of size 30 alloc'd
==623==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==623==    by 0x50E99D9: strdup (strdup.c:42)
==623==    by 0x4005E0: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623== 
==623== Invalid read of size 1
==623==    at 0x4E38E7F: g_utf8_to_ucs4_fast (nfkc.c:399)
==623==    by 0x4E38E7F: stringprep_utf8_to_ucs4 (nfkc.c:1023)
==623==    by 0x4E3A7DE: idna_to_ascii_8z (idna.c:578)
==623==    by 0x400610: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623==  Address 0x54110af is 0 bytes after a block of size 15 alloc'd
==623==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==623==    by 0x50E99D9: strdup (strdup.c:42)
==623==    by 0x4005ED: main (in /home/nmav/cvs/gnutls/lib/a.out)



#include <idna.h>

const char x[] =
    "\x7e\x64\x61\x72\x10\x2f\x2f\xf9\x2b\x71\x60\x79\x7b\x2e\x63\x75\x2b\x61\x65\x72\x75\x65\x56\x66\x7f\x62\xc5\x76\xe5\x00";

int main()
{
	char *s = NULL;
	int rc = idna_to_ascii_8z(x, &s, 0);

	if (rc != IDNA_SUCCESS) {
		exit(1);
	}
	exit(0);
}

_______________________________________________
Help-libidn mailing list
Help-libidn@gnu.org
https://lists.gnu.org/mailman/listinfo/help-libidn

Reply via email to