[jira] [Commented] (JAMES-3753) Bug in FlowedMessageUtils.deflow() can lead to quote characters being stripped

Benoit Tellier (Jira) Thu, 21 Apr 2022 23:30:05 -0700


    [ 
https://issues.apache.org/jira/browse/JAMES-3753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17526220#comment-17526220
 ]


Benoit Tellier commented on JAMES-3753:
---------------------------------------

The deflow part is now merged.

Fuzzing however found defects on the flow part, not addressed yet.

1:


{code:java}
#20255  REDUCE cov: 47 ft: 241 corp: 58/875b lim: 80 exec/s: 0 rss: 169Mb L: 
20/63 MS: 1 EraseBytes-

== Java Exception: java.lang.StringIndexOutOfBoundsException: String index out 
of range: 77
        at java.base/java.lang.StringLatin1.charAt(StringLatin1.java:47)
        at java.base/java.lang.String.charAt(String.java:693)
        at 
org.apache.mailet.base.FlowedMessageUtils.isAlphaChar(FlowedMessageUtils.java:342)
        at 
org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:242)
        at 
org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:198)
        at Flow.fuzzerTestOneInput(Flow.java:26)
DEDUP_TOKEN: 98734b6baa46951b
== libFuzzer crashing input ==
MS: 3 ChangeByte-EraseBytes-InsertRepeatedBytes-; base unit: 
ee65a29d115f109f598e8723b7d80c9adb0e24bc
0x3e,0x3e,0x3e,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3e,0x3e,0x3e,
>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>
artifact_prefix='./'; Test unit written to 
./crash-543b5ca62bb8cc47cd7a43b021375c0343d07ae1
Base64: 
Pj4+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+Pj4=
{code}

2: 

{code:java}
#161909 NEW    cov: 80 ft: 553 corp: 169/16Kb lim: 589 exec/s: 17989 rss: 279Mb 
L: 309/540 MS: 1 PersAutoDict- DE: "a\x00\x00\x00"-

== Java Exception: java.lang.IndexOutOfBoundsException: start 0, end 85, length 
84
        at 
java.base/java.lang.AbstractStringBuilder.checkRange(AbstractStringBuilder.java:1716)
        at 
java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:631)
        at java.base/java.lang.StringBuilder.append(StringBuilder.java:217)
        at 
org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:254)
        at 
org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:198)
        at Flow.fuzzerTestOneInput(Flow.java:26)
DEDUP_TOKEN: f8ed07a58079a9ed
== libFuzzer crashing input ==
MS: 5 CopyPart-ChangeBinInt-EraseBytes-CrossOver-EraseBytes-; base unit: 
2918d0c256604a4173fc474a5991c0c7d0c76d3e
artifact_prefix='./'; Test unit written to 
./crash-fa906a86e550aa4c7c18706786622281dc55877f
reproducer_path='.'; Java reproducer written to 
./Crash_fa906a86e550aa4c7c18706786622281dc55877f.java
{code}

With base 64

{code:java}
$ base64 ./crash-fa906a86e550aa4c7c18706786622281dc55877f
PgAAAAAAAAAACQA+S09LS0v///8BRQAAAAAA/yAKinJvbSAgCkZyb20gIApGcm9tIH8AAABtICAK
RnJvbSBtICAKPj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+
Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4KRnJvbSB/AAAAbSAgAAAAAAAAAAAK
RnJvbSAgACAgCkZyZ20gIAogCoogCkZyAAAAAP//S0tLb20gIApvbSAgCkZyb20gIAoKIApGcm+w
ICAKRnJvbSAgRnJvbSAKRnJvbSAgACBGcktvbSAgACBLSwoAAAAAAABLS0tLS0tLS0tLS0s+IAJr
S0tLS0tLS0tLIAogCnAKQwBGODg4cm9tICAKRnJvbSAgRnI4ODg4ODg4ODg4ODhLODg4ODg4ODg4
ODg4ODhLODg4OG9tICAKRnJvbSAgACBLSxcXUzg4OAogCgoKIAoKIApGcm9tICAAIAo4ODg4ODg4
ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg+
PgAAAAA=
{code}

And 3.


{code:java}
#58742  REDUCE cov: 80 ft: 495 corp: 138/8018b lim: 198 exec/s: 58742 rss: 
278Mb L: 85/198 MS: 4 ChangeByte-EraseBytes-ChangeBit-CopyPart-

== Java Exception: java.lang.StringIndexOutOfBoundsException: String index out 
of range: -1
        at java.base/java.lang.String.substring(String.java:1841)
        at 
org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:262)
        at 
org.apache.mailet.base.FlowedMessageUtils.flow(FlowedMessageUtils.java:198)
        at Flow.fuzzerTestOneInput(Flow.java:26)
DEDUP_TOKEN: aa788d652efbfb4b
== libFuzzer crashing input ==
MS: 2 EraseBytes-CopyPart-; base unit: 1a3229fda9b1c877a54447de84a885dc7e7838d2
0xa9,0x1,0x0,0x0,0xa,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0xa9,0x1,0x0,0x0,0xa,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0x3e,0xa,
\xa9\x01\x00\x00\x0a>>>>>>>>>>>>>>>>>>>>>>>>>>>>\xa9\x01\x00\x00\x0a>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\x0a
artifact_prefix='./'; Test unit written to 
./crash-f6a4239a7a187c27130d1704cb9bcd2da1ebde2e
Base64: 
qQEAAAo+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+qQEAAAo+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Cg==
{code}

And 4:


{code:java}
#109    REDUCE cov: 31 ft: 71 corp: 9/24b lim: 4 exec/s: 0 rss: 129Mb L: 2/4 
MS: 2 ChangeBit-EraseBytes-

==201969== ERROR: libFuzzer: out-of-memory (used: 2573Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

MS: 3 ChangeBinInt-CrossOver-CMP- DE: "\x00>"-; base unit: 
11d7d7ce0b68973d37325a5b3f1fdcf7d2e88954
0x0,0x3e,
\x00>
artifact_prefix='./'; Test unit written to 
./oom-9d394f37e0e251ccbe3c477f6bb122005c38f167
Base64: AD4=
{code}



> Bug in FlowedMessageUtils.deflow() can lead to quote characters being stripped
> ------------------------------------------------------------------------------
>
>                 Key: JAMES-3753
>                 URL: https://issues.apache.org/jira/browse/JAMES-3753
>             Project: James Server
>          Issue Type: Bug
>            Reporter: cketti
>            Priority: Minor
>          Time Spent: 2h
>  Remaining Estimate: 0h
>
> When a quoted line ends with a space and is followed by an empty line (quote 
> depth 0), the text isn't decoded properly.
> Example (the text "Quoted" is followed by a space, indicating a flowed line):
> {noformat}
> > Quoted 
> Text
> {noformat}
> will be deflowed to
> {noformat}
> Quoted
> Text
> {noformat}
> [RFC 3676|https://datatracker.ietf.org/doc/html/rfc3676] specifically 
> mentions this case:
> {quote}A generating agent MUST NOT create this situation; a receiving agent 
> SHOULD handle it by giving preference to the quote depth.
> {quote}
> However, an email containing such data was encountered in the wild. See 
> [https://github.com/k9mail/k-9/issues/6029].



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (JAMES-3753) Bug in FlowedMessageUtils.deflow() can lead to quote characters being stripped

Reply via email to