[ https://issues.apache.org/jira/browse/JAMES-3753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17526220#comment-17526220 ]
Benoit Tellier commented on JAMES-3753: --------------------------------------- The deflow part is now merged. Fuzzing however found defects on the flow part, not addressed yet. 1: {code:java} #20255 REDUCE cov: 47 ft: 241 corp: 58/875b lim: 80 exec/s: 0 rss: 169Mb L: 20/63 MS: 1 EraseBytes- == Java Exception: java.lang.StringIndexOutOfBoundsException: String index out of range: 77 at java.base/java.lang.StringLatin1.charAt(StringLatin1.java:47) at java.base/java.lang.String.charAt(String.java:693) at org.apache.mailet.base.FlowedMessageUtils.isAlphaChar(FlowedMessageUtils.java:342) at org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:242) at org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:198) at Flow.fuzzerTestOneInput(Flow.java:26) DEDUP_TOKEN: 98734b6baa46951b == libFuzzer crashing input == MS: 3 ChangeByte-EraseBytes-InsertRepeatedBytes-; base unit: ee65a29d115f109f598e8723b7d80c9adb0e24bc 0x3e,0x3e,0x3e,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3e,0x3e,0x3e, >>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>> artifact_prefix='./'; Test unit written to ./crash-543b5ca62bb8cc47cd7a43b021375c0343d07ae1 Base64: Pj4+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+Pj4= {code} 2: {code:java} #161909 NEW cov: 80 ft: 553 corp: 169/16Kb lim: 589 exec/s: 17989 rss: 279Mb L: 309/540 MS: 1 PersAutoDict- DE: "a\x00\x00\x00"- == Java Exception: java.lang.IndexOutOfBoundsException: start 0, end 85, length 84 at java.base/java.lang.AbstractStringBuilder.checkRange(AbstractStringBuilder.java:1716) at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:631) at java.base/java.lang.StringBuilder.append(StringBuilder.java:217) at org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:254) at org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:198) at Flow.fuzzerTestOneInput(Flow.java:26) DEDUP_TOKEN: f8ed07a58079a9ed == libFuzzer crashing input == MS: 5 CopyPart-ChangeBinInt-EraseBytes-CrossOver-EraseBytes-; base unit: 2918d0c256604a4173fc474a5991c0c7d0c76d3e artifact_prefix='./'; Test unit written to ./crash-fa906a86e550aa4c7c18706786622281dc55877f reproducer_path='.'; Java reproducer written to ./Crash_fa906a86e550aa4c7c18706786622281dc55877f.java {code} With base 64 {code:java} $ base64 ./crash-fa906a86e550aa4c7c18706786622281dc55877f PgAAAAAAAAAACQA+S09LS0v///8BRQAAAAAA/yAKinJvbSAgCkZyb20gIApGcm9tIH8AAABtICAK RnJvbSBtICAKPj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+ Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4KRnJvbSB/AAAAbSAgAAAAAAAAAAAK RnJvbSAgACAgCkZyZ20gIAogCoogCkZyAAAAAP//S0tLb20gIApvbSAgCkZyb20gIAoKIApGcm+w ICAKRnJvbSAgRnJvbSAKRnJvbSAgACBGcktvbSAgACBLSwoAAAAAAABLS0tLS0tLS0tLS0s+IAJr S0tLS0tLS0tLIAogCnAKQwBGODg4cm9tICAKRnJvbSAgRnI4ODg4ODg4ODg4ODhLODg4ODg4ODg4 ODg4ODhLODg4OG9tICAKRnJvbSAgACBLSxcXUzg4OAogCgoKIAoKIApGcm9tICAAIAo4ODg4ODg4 ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg+ PgAAAAA= {code} And 3. {code:java} #58742 REDUCE cov: 80 ft: 495 corp: 138/8018b lim: 198 exec/s: 58742 rss: 278Mb L: 85/198 MS: 4 ChangeByte-EraseBytes-ChangeBit-CopyPart- == Java Exception: java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at java.base/java.lang.String.substring(String.java:1841) at org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:262) at org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:198) at Flow.fuzzerTestOneInput(Flow.java:26) DEDUP_TOKEN: aa788d652efbfb4b == libFuzzer crashing input == MS: 2 EraseBytes-CopyPart-; base unit: 1a3229fda9b1c877a54447de84a885dc7e7838d2 0xa9,0x1,0x0,0x0,0xa,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0xa9,0x1,0x0,0x0,0xa,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0xa, \xa9\x01\x00\x00\x0a>>>>>>>>>>>>>>>>>>>>>>>>>>>>\xa9\x01\x00\x00\x0a>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\x0a artifact_prefix='./'; Test unit written to ./crash-f6a4239a7a187c27130d1704cb9bcd2da1ebde2e Base64: qQEAAAo+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+qQEAAAo+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Cg== {code} And 4: {code:java} #109 REDUCE cov: 31 ft: 71 corp: 9/24b lim: 4 exec/s: 0 rss: 129Mb L: 2/4 MS: 2 ChangeBit-EraseBytes- ==201969== ERROR: libFuzzer: out-of-memory (used: 2573Mb; limit: 2048Mb) To change the out-of-memory limit use -rss_limit_mb=<N> MS: 3 ChangeBinInt-CrossOver-CMP- DE: "\x00>"-; base unit: 11d7d7ce0b68973d37325a5b3f1fdcf7d2e88954 0x0,0x3e, \x00> artifact_prefix='./'; Test unit written to ./oom-9d394f37e0e251ccbe3c477f6bb122005c38f167 Base64: AD4= {code} > Bug in FlowedMessageUtils.deflow() can lead to quote characters being stripped > ------------------------------------------------------------------------------ > > Key: JAMES-3753 > URL: https://issues.apache.org/jira/browse/JAMES-3753 > Project: James Server > Issue Type: Bug > Reporter: cketti > Priority: Minor > Time Spent: 2h > Remaining Estimate: 0h > > When a quoted line ends with a space and is followed by an empty line (quote > depth 0), the text isn't decoded properly. > Example (the text "Quoted" is followed by a space, indicating a flowed line): > {noformat} > > Quoted > Text > {noformat} > will be deflowed to > {noformat} > Quoted > Text > {noformat} > [RFC 3676|https://datatracker.ietf.org/doc/html/rfc3676] specifically > mentions this case: > {quote}A generating agent MUST NOT create this situation; a receiving agent > SHOULD handle it by giving preference to the quote depth. > {quote} > However, an email containing such data was encountered in the wild. See > [https://github.com/k9mail/k-9/issues/6029]. -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org