Re: wget2 | Buffer overflow in `wget_iri_clone` (#687)

[@rockdaboot]

Tim Rühsen commented: 
https://gitlab.com/gnuwget/wget2/-/issues/687#note_2315121245


Your analysis looks valid to me.

I wondered why the iri fuzzer doesn't catch it (see 
[here](https://gitlab.com/gnuwget/wget2/-/blob/master/fuzz/libwget_iri_fuzzer.c?ref_type=heads#L57)
 - well, obviously, the fuzzer doesn't call `wget_iri_clone()` after 
`wget_iri_set_scheme()`.

When cloning the `iri` after `wget_iri_set_scheme()`, `make check-valgrind` 
finds the issue right away with the existing fuzz corpora:
```
==76172== Invalid read of size 2
==76172==    at 0x484DE90: memmove (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==76172==    by 0x4877EC6: wget_iri_clone (iri.c:723)
==76172==    by 0x10A558: test (libwget_iri_fuzzer.c:59)
==76172==    by 0x10A5C4: LLVMFuzzerTestOneInput (libwget_iri_fuzzer.c:91)
==76172==    by 0x10A68C: test_all_from (main.c:57)
==76172==    by 0x10A82C: main (main.c:118)
==76172==  Address 0x5bfd060 is 4 bytes after a block of size 12 alloc'd
==76172==    at 0x4848C43: realloc (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==76172==    by 0x487C9B3: wget_realloc (wget.h:469)
==76172==    by 0x487C9B3: wget_vasprintf (printf.c:66)
==76172==    by 0x487CB57: wget_aprintf (printf.c:126)
==76172==    by 0x4878AB1: wget_iri_set_scheme (iri.c:1449)
==76172==    by 0x10A54E: test (libwget_iri_fuzzer.c:57)
==76172==    by 0x10A5C4: LLVMFuzzerTestOneInput (libwget_iri_fuzzer.c:91)
==76172==    by 0x10A68C: test_all_from (main.c:57)
==76172==    by 0x10A82C: main (main.c:118)
```

I'll analyze the cow now, without looking at your proposal, to see whether we 
come to the same conclusion/fix.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/687#note_2315121245
You're receiving this email because of your account on gitlab.com.