[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix for invalid read of size 4 in idna_to_ascii_4z
From: |
Alessandro Ghedini |
Subject: |
Re: [PATCH] Fix for invalid read of size 4 in idna_to_ascii_4z |
Date: |
Wed, 10 Jun 2015 21:14:24 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Mon, Jun 08, 2015 at 11:53:53PM +0200, Simon Josefsson wrote:
> Alessandro Ghedini <address@hidden> writes:
>
> > Hello,
> >
> > this bug was originally reported at [0], but then closed because it isn't
> > libidn's fault. However, I was able to make a little modification to libidn
> > that fixed the problem for me.
> >
> > The change simply involves replacing strlen()+malloc()+strcpy() with
> > strdup()
> > (see the attached patch), and AFAICT all the tests pass. So I thought that
> > maybe you wanted to have a look at it and maybe merge it.
>
> Is there any reason you want this instead of the normal approach of
> using a valgrind suppressions file?
Well, from a libidn user perspective, not having to deal with valgrind
suppressions at all would make my life easier, and many people don't even know
they need suppressions for libidn in the first place. Additionally, e.g. Debian
packages don't ship the suppression file, so one would also need to either
download the libidn sources or write his own suppression file every time.
> The valgrind warning is caused by glibc/gcc optimizations, and those are
> typically silenced.
Yes, that's true, but in this case the patch for libidn is IMO really simple
and I don't see any downside to merging it (do tell if you have any reserve
regarding the patch itself though).
> Getting it include in valgrind may be possible, I don't know their
> policy on their default suppression files.
As far as I can tell they only provide suppressions for glibc, so I don't
think they'd accept additions for external libraries (but I may be wrong).
Hope this helps.
Cheers