Libpidgin buffer overflow write in irc_parse_ctcp
Joseph Bisch
joseph.bisch at gmail.com
Tue Sep 26 23:50:53 EDT 2017
While fuzzing the libpurple irc protocol parsing code in the
release-2.x.y branch, I encountered a write that happens one byte to
the left of a buffer.
See: https://bitbucket.org/pidgin/main/src/7b4e9bdf079e2721edf515b080be099b956ee6f7/libpurple/protocols/irc/parse.c?at=release-2.x.y&fileviewer=file-view-default#parse.c-594
The strlen can return 0. Then 1 is subtracted from it, leading to the
NULL terminator being written one byte before the start of the buffer.
In some cases this may cause a crash.
I can reproduce the crash using Pidgin compiled with ASan. Connect to
the following server:
echo $': notice a :\x01\n' | nc -l -p 6667
Joseph
More information about the security
mailing list