one byte buffer overread in function purple_markup_linkify

Ethan Blanton elb at pidgin.im
Fri Apr 14 09:28:22 EDT 2017


Hanno Böck wrote:
> I did some fuzzing after I saw the latest security vulnerability in
> pidgin.
> I'm not entirely sure whether all the markup functions are supposed to
> be resilient to invalid inputs, but it's certainly better if they are.

This is a general problem with UTF-8 APIs.  Performing UTF-8
validation everywhere is expensive, but failing to perform it
everywhere can lead to processing a non-UTF-8 string as UTF-8.  The
byte sequence you present is not valid UTF-8, which the purple_markup
family expects as part of its contract.

So while I agree that it would be ideal for these methods to be robust
to invalid UTF-8, they are not.  Everything passed to a purple_markup
function from the network should have been validated as UTF-8 (or
passed through purple_utf8_salvage or the like to "fix" it if it was
not).

I don't believe that this is a security problem, or a "bug" as such.
However, if you can find a place wher ea purple_markup function is
potentially *passed* an invalid UTF-8 string, then that is absolutely
a bug and should be addressed!

Thank you for your clear and detailed report, and your efforts toward
making Pidgin and libpurple more robust.

Ethan


More information about the security mailing list