Libpurple irc out of bounds read in irc_nick_skip_mode

Joseph Bisch joseph.bisch at gmail.com
Fri Sep 22 07:46:03 EDT 2017


The following is an issue identified while fuzzing pidgin branch release-2.x.y.

The irc_nick_skip_mode function in parse.c in the libpurple irc code
appears to make the assumption that strchr will return NULL once the
nick parameter's NULL terminator is reached. However, according to the
linux manpages, if the character passed to stsrchr is the NULL
character, then strchr will return a pointer to the NULL terminator
for the string passed to strchr.

In other words, the increment inside the body of the loop will still
happen even if *nick == '\0', making the returned nick point at least
one byte past the end of where it should.

The attached testcase/reproducer has an extra space so the first
parameter to PRIVMSG is an empty string. However it can instead be
replaced with any number of '@' characters for example and still
trigger the issue.

Joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidginstrchr.min2
Type: application/octet-stream
Size: 15 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170922/b5b9ba0d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidginstrchr.log
Type: text/x-log
Size: 3188 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170922/b5b9ba0d/attachment.bin>


More information about the security mailing list