Bug#840771: segfaults on valid certificate
Package: dumpasn1 Followup-For: Bug #840771 I belive the patch you have provided is not full/correct. You pass a pointer to a wide character, when the code expects to have a valid wide string (ending with L'\0'). Please consider the attached patch instead. -- With best wishes Dmitry -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages dumpasn1 depends on: ii libc6 2.24-3 dumpasn1 recommends no packages. dumpasn1 suggests no packages. -- no debconf information Description: Fix bug 840771 Author: Mathieu Malaterre Bug-Debian: https://bugs.debian.org/840771 Index: dumpasn1-20150808/dumpasn1.c === --- dumpasn1-20150808.orig/dumpasn1.c +++ dumpasn1-20150808/dumpasn1.c @@ -1362,7 +1362,7 @@ static int displayUnicode( const wchar_t #elif 1 /* This (and the "%ls" variant below) seem to be the least broken options */ - fprintf( output, "%lc", wCh ); + fprintf( output, "%lc", wCh[0] ); #elif 0 wchar_t wChString[ 2 ]; @@ -1885,13 +1885,13 @@ static void displayString( FILE *inFile, if( strOption == STR_UTF8 && ( ch & 0x80 ) ) { const int secondCh = getc( inFile ); - wchar_t wCh; + wchar_t wCh[2] = { 0, 0 }; /* It's a multibyte UTF8 character, read it as a widechar */ if( ( ch & 0xE0 ) == 0xC0 ) /* 111x -> 110x */ { /* 2-byte character in the range 0x80...0x7FF */ -wCh = ( ( ch & 0x1F ) << 6 ) | ( secondCh & 0x3F ); +wCh[0] = ( ( ch & 0x1F ) << 6 ) | ( secondCh & 0x3F ); i++; /* We've read 2 characters */ fPos += 2; } @@ -1902,12 +1902,12 @@ static void displayString( FILE *inFile, const int thirdCh = getc( inFile ); /* 3-byte character in the range 0x800...0x */ - wCh = ( ( ch & 0x1F ) << 12 ) | \ + wCh[0] = ( ( ch & 0x1F ) << 12 ) | \ ( ( secondCh & 0x3F ) << 6 ) | \ ( thirdCh & 0x3F ); } else - wCh = '.'; + wCh[0] = '.'; i += 2; /* We've read 3 characters */ fPos += 3; }
Bug#840771: segfaults on valid certificate
Package: dumpasn1 Version: 20150808-1 Severity: normal dumpasn1 segfaults on some certificates when printing Unicode strings. E.g. you can try it with the certificate downloaded from http://www.grfc.ru/upload/medialibrary/eec/016301.p7b Valgrind backtrace: 144 58: SET { 146 56: SEQUENCE { 1483: OBJECT IDENTIFIER streetAddress (2 5 4 9) 153 49: UTF8String ==3== Invalid read of size 4 ==3==at 0x4ED2D19: wcsnlen (wcsnlen.c:31) ==3==by 0x4ED2556: wcsrtombs (wcsrtombs.c:104) ==3==by 0x4E6D0D0: wcstombs (wcstombs.c:34) ==3==by 0x402998: displayUnicode (dumpasn1.c:1325) ==3==by 0x403B46: displayString (dumpasn1.c:1914) ==3==by 0x405C58: printASN1object (dumpasn1.c:2823) ==3==by 0x406222: printAsn1 (dumpasn1.c:2974) ==3==by 0x404C86: printConstructed (dumpasn1.c:2475) ==3==by 0x405264: printASN1object (dumpasn1.c:2598) ==3==by 0x406222: printAsn1 (dumpasn1.c:2974) ==3==by 0x404C86: printConstructed (dumpasn1.c:2475) ==3==by 0x405264: printASN1object (dumpasn1.c:2598) ==3== Address 0x414 is not stack'd, malloc'd or (recently) free'd ==3== ==3== ==3== Process terminating with default action of signal 11 (SIGSEGV) ==3== Access not within mapped region at address 0x414 ==3==at 0x4ED2D19: wcsnlen (wcsnlen.c:31) ==3==by 0x4ED2556: wcsrtombs (wcsrtombs.c:104) ==3==by 0x4E6D0D0: wcstombs (wcstombs.c:34) ==3==by 0x402998: displayUnicode (dumpasn1.c:1325) ==3==by 0x403B46: displayString (dumpasn1.c:1914) ==3==by 0x405C58: printASN1object (dumpasn1.c:2823) ==3==by 0x406222: printAsn1 (dumpasn1.c:2974) ==3==by 0x404C86: printConstructed (dumpasn1.c:2475) ==3==by 0x405264: printASN1object (dumpasn1.c:2598) ==3==by 0x406222: printAsn1 (dumpasn1.c:2974) ==3==by 0x404C86: printConstructed (dumpasn1.c:2475) ==3==by 0x405264: printASN1object (dumpasn1.c:2598) ==3== If you believe this happened as a result of a stack ==3== overflow in your program's main thread (unlikely but ==3== possible), you can try to increase the size of the ==3== main thread stack using the --main-stacksize= flag. ==3== The main thread stack size used in this run was 8388608. -- With best wishes Dmitry -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages dumpasn1 depends on: ii libc6 2.24-3 dumpasn1 recommends no packages. dumpasn1 suggests no packages. -- no debconf information