help-libidn
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Incorrect UTF-8 error handling in libidn-1.31 causes bad free()


From: Adam Sampson
Subject: Incorrect UTF-8 error handling in libidn-1.31 causes bad free()
Date: Fri, 31 Jul 2015 20:07:05 +0100
User-agent: Mutt/1.5.23+28 (79ea10b2d81c) (2014-03-12)

Dear libidn maintainers,

This program causes a crash for me with libidn 1.31:

"""
#include <idna.h>

int main() {
        const char input[] = "\200bad.com";
        char *output;

        idna_to_unicode_8z8z(input, &output, 0);

        return 0;
}
"""

idna_to_unicode_8z8z ought to return IDNA_ICONV_ERROR because the input
isn't valid UTF-8. However, it winds up calling free() with a junk
pointer as a parameter. This is because:

- in idna_to_unicode_8z8z, "char *ucs4" is uninitialised
- idna_to_unicode_8z8z calls idna_to_unicode_8z4z, which returns
  IDNA_CONV_ERROR without initialising ucs4
- idna_to_unicode_8z8z then does "free(ucs4)" before checking the return
  value from idna_to_unicode_8z4z

It looks like some of the other API functions use the same pattern (e.g.
..._8zlz), so it would be worth checking those as well.

This actually showed up for me as a crash in Courier's "maildrop" MDA
(http://www.courier-mta.org/maildrop/) -- if you feed it a message with
a From: line where the email address isn't valid UTF-8, it'll wind up
calling idna_to_unicode_8z8z on it and crashing as above.

Thanks,

-- 
Adam Sampson <address@hidden>                         <http://offog.org/>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]