Hanno Böck <ha...@hboeck.de> writes: > Hi, > > When passing an input of exactly 64 bytes to the idn tool it will > generate an out of bounds stack read. > This happens in the function idna_to_ascii_4i. > > In Line 213 if the input is less than 64 bytes it will zero-terminate > the string. However if it's exactly 64 bytes the input will fill the > out buffer and no zero termination will happen. Therefore the strlen > call in line 271 will cause an out of bounds. > > Attached a sample input and apatch that will return an error on a 64 > byte input. The strlen (out) > 63 check doesn't really make sense, > because inside a 64 byte buffer there can never be a correct > zero-terminated string longer than 63 bytes. Therefore I've removed > that check. > > Found with the help of american fuzzy lop.
Thank you Hanno. This was fixed in git earlier this year, but real life intervened and distracted me. Here is a link to the commit that should fix this: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d I'm preparing a new release, so if you or anyone else has any concerns over this patch, now is a good time to bring it up. /Simon
signature.asc
Description: PGP signature
_______________________________________________ Help-libidn mailing list Help-libidn@gnu.org https://lists.gnu.org/mailman/listinfo/help-libidn
