Pidgin attempts to free an address which was not malloc()-ed

[Joseph Bisch]

Hi,

While fuzzing Pidgin, I encountered a crash associated with Pidgin
attempting to free an address which was not malloc()-ed. I am
attaching the ASan output and a testcase. I minimized the original
fuzzing logs to get the testcase, but the ASan output is from the
actual fuzzing session. So the testcase seems to cause the bad free to
happen in irc_close when attempting to free irc->motd instead of the
location in the attached ASan log file.

Steps to reproduce:

1) cat pidgin.min | nc -l -p 6667
2) start pidgin
3) create irc account to connect to localhost if not already done so previously
4) try to quit pidgin
5) get output from ASan or a coredump (it intermittently switches
between the two for me between runs)

When I was fuzzing, the crash happened without any user interaction
after connecting to the irc network (i.e. I did not have to try to
quit pidgin for the crash to occurr), but the testcase I am attaching
seems to require the user to attempt to quit pidgin. Let me know if
you want the full log file from the fuzzer, but it is large for email.

Also, I tested this with the pidgin from Arch Linux and it gives me a
crash also, so I know it isn't something with the way I compiled
pidgin.

Joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin.asan
Type: application/octet-stream
Size: 5607 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170920/e199fdee/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin.min
Type: application/octet-stream
Size: 11977 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170920/e199fdee/attachment-0001.obj>