Libpidgin buffer overflow write in irc_parse_ctcp

Joseph Bisch joseph.bisch at
Tue Sep 26 23:50:53 EDT 2017

While fuzzing the libpurple irc protocol parsing code in the
release-2.x.y branch, I encountered a write that happens one byte to
the left of a buffer.


The strlen can return 0. Then 1 is subtracted from it, leading to the
NULL terminator being written one byte before the start of the buffer.
In some cases this may cause a crash.

I can reproduce the crash using Pidgin compiled with ASan. Connect to
the following server:

echo $': notice a :\x01\n' | nc -l -p 6667


More information about the security mailing list