[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Incorrect UTF-8 error handling in libidn-1.31 causes bad free()
|
From: |
Simon Josefsson |
|
Subject: |
Re: Incorrect UTF-8 error handling in libidn-1.31 causes bad free() |
|
Date: |
Sat, 01 Aug 2015 15:16:32 +0200 |
|
User-agent: |
Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux) |
Adam Sampson <address@hidden> writes:
> Dear libidn maintainers,
>
> This program causes a crash for me with libidn 1.31:
>
> """
> #include <idna.h>
>
> int main() {
> const char input[] = "\200bad.com";
> char *output;
>
> idna_to_unicode_8z8z(input, &output, 0);
>
> return 0;
> }
> """
>
> idna_to_unicode_8z8z ought to return IDNA_ICONV_ERROR because the input
> isn't valid UTF-8. However, it winds up calling free() with a junk
> pointer as a parameter. This is because:
>
> - in idna_to_unicode_8z8z, "char *ucs4" is uninitialised
> - idna_to_unicode_8z8z calls idna_to_unicode_8z4z, which returns
> IDNA_CONV_ERROR without initialising ucs4
> - idna_to_unicode_8z8z then does "free(ucs4)" before checking the return
> value from idna_to_unicode_8z4z
>
> It looks like some of the other API functions use the same pattern (e.g.
> ..._8zlz), so it would be worth checking those as well.
Thank you for test, report and analysis! Indeed I found the same
problem in idna_to_unicode_8z8z and idna_to_unicode_8zlz. Stay tuned
for a fix.
/Simon
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Incorrect UTF-8 error handling in libidn-1.31 causes bad free(),
Simon Josefsson <=