[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Incorrect UTF-8 error handling in libidn-1.31 causes bad free()
From: |
Adam Sampson |
Subject: |
Incorrect UTF-8 error handling in libidn-1.31 causes bad free() |
Date: |
Fri, 31 Jul 2015 20:07:05 +0100 |
User-agent: |
Mutt/1.5.23+28 (79ea10b2d81c) (2014-03-12) |
Dear libidn maintainers,
This program causes a crash for me with libidn 1.31:
"""
#include <idna.h>
int main() {
const char input[] = "\200bad.com";
char *output;
idna_to_unicode_8z8z(input, &output, 0);
return 0;
}
"""
idna_to_unicode_8z8z ought to return IDNA_ICONV_ERROR because the input
isn't valid UTF-8. However, it winds up calling free() with a junk
pointer as a parameter. This is because:
- in idna_to_unicode_8z8z, "char *ucs4" is uninitialised
- idna_to_unicode_8z8z calls idna_to_unicode_8z4z, which returns
IDNA_CONV_ERROR without initialising ucs4
- idna_to_unicode_8z8z then does "free(ucs4)" before checking the return
value from idna_to_unicode_8z4z
It looks like some of the other API functions use the same pattern (e.g.
..._8zlz), so it would be worth checking those as well.
This actually showed up for me as a crash in Courier's "maildrop" MDA
(http://www.courier-mta.org/maildrop/) -- if you feed it a message with
a From: line where the email address isn't valid UTF-8, it'll wind up
calling idna_to_unicode_8z8z on it and crashing as above.
Thanks,
--
Adam Sampson <address@hidden> <http://offog.org/>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Incorrect UTF-8 error handling in libidn-1.31 causes bad free(),
Adam Sampson <=