Libpurple stack overflow in g_markup_escape_text (truncated utf8??)
Joseph Bisch
joseph.bisch at gmail.com
Sat Sep 30 12:43:53 EDT 2017
Hi,
There is a stack overflow in libpurple that occurs in g_markup_escape_text.
I believe that it arises due to the following line potentially
truncating valid utf8, leading to invalid utf8. The
g_markup_escape_text assumes that the input it receives is valid utf8.
The line I suspect of causing the issue:
https://bitbucket.org/pidgin/main/src/859b15b1c817c0e7daebb3a9ddb4396999504ca6/libpurple/server.c?at=release-2.x.y&fileviewer=file-view-default#server.c-825
I attached the ASan output and a reproducer (to be sent to Pidgin as
if it were coming from an IRC server).
Joseph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin2.log
Type: text/x-log
Size: 4046 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170930/bae7ffc1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin3.min2
Type: application/octet-stream
Size: 5541 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170930/bae7ffc1/attachment.obj>
More information about the security
mailing list