Pidgin attempts to free an address which was not malloc()-ed
dequis
dx at dxzone.com.ar
Wed Sep 20 13:02:40 EDT 2017
Can repro under valgrind and 2.12.0
Manually minimized testcase:
:a 001 a :a
:a 375 a :a
:a 422 a :a
Looks like 422 is doing g_string_free(irc->motd, TRUE); without
setting it to NULL, so trying to disconnect results in a double free
(as in double freedom)
On 20 September 2017 at 13:54, Joseph Bisch <joseph.bisch at gmail.com> wrote:
> I'm not too familiar with hg, but hg parent output is:
>
> changeset: 38686:0c8abea27d96
> tag: tip
> parent: 38655:cb39c7ee8567
> parent: 38685:262e7e2b84bc
> user: Gary Kramlich <grim at reaperworld.com>
> date: Tue Sep 19 03:14:48 2017 +0000
> summary: Merged in rw_grim/pidgin (pull request #252)
>
> The web interface seems to show that line:
> https://bitbucket.org/pidgin/main/src/46a5db31d820b08bc294bba481af8ed9ff0165c2/libpurple/protocols/irc/msgs.c?at=default&fileviewer=file-view-default#msgs.c-752
>
> On Wed, Sep 20, 2017 at 12:47 PM, Ethan Blanton <elb at pidgin.im> wrote:
>> Joseph Bisch wrote:
>>> While fuzzing Pidgin, I encountered a crash associated with Pidgin
>>> attempting to free an address which was not malloc()-ed. I am
>>> attaching the ASan output and a testcase. I minimized the original
>>> fuzzing logs to get the testcase, but the ASan output is from the
>>> actual fuzzing session. So the testcase seems to cause the bad free to
>>> happen in irc_close when attempting to free irc->motd instead of the
>>> location in the attached ASan log file.
>>
>> What version of Pidgin is this? That line is not in irc_msg_motd in
>> the current sources.
>>
>> Ethan
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
More information about the security
mailing list