one byte buffer overread in function purple_markup_linkify

[Hanno Böck]

Hi,

I did some fuzzing after I saw the latest security vulnerability in
pidgin.
I'm not entirely sure whether all the markup functions are supposed to
be resilient to invalid inputs, but it's certainly better if they are.

I found a one byte buffer overread in the function
purple_markup_linkify()

This can be detected by building libpurple with address sanitizer. See
the attached example code "libpurple-oob.c".
The input bytes causing the overread:
{0x2e, 0xc0, 0x80, 0x40, 0x30, 0x00};

Compile pidgin with address sanitizer:

./configure CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address"
--disable-shared --disable-gtkspell --disable-meanwhile --disable-tk

make

Then compile the example code and link it against the static
libpurple.a we just created:

gcc libpurple-oob.c ./libpurple/.libs/libpurple.a $(pkg-config --libs
--cflags dbus-glib-1 dbus-1 gio-2.0 glib-2.0 gobject-2.0 gmodule-2.0
libxml-2.0 libidn purple) -lresolv -lm -fsanitize=address -g

produces this error:
==26925==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000e36f at pc 0x55c7ba630e7c bp 0x7ffcc3c56070 sp 0x7ffcc3c56068
READ of size 1 at 0x60200000e36f thread T0 #0 0x55c7ba630e7b in
    purple_markup_linkify /mnt/ram/pidgin-2.12.0/libpurple/util.c:2289

(I'll attach the full error message)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple-oob.c
Type: text/x-c++src
Size: 211 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170414/2ee9caa0/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple-purple_markup_linkify-asan-error.txt.xz
Type: application/x-xz
Size: 944 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170414/2ee9caa0/attachment.xz>