Question regarding incomplete UTF-8 arguments.

help-libidn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question regarding incomplete UTF-8 arguments.

From:	Tetsuo Handa
Subject:	Question regarding incomplete UTF-8 arguments.
Date:	Sat, 23 Feb 2013 23:38:49 +0900

Hello.

idna_to_unicode_8z8z from "info libidn" says:

  idna_to_unicode_8z8z
  --------------------
  
   -- Function: int idna_to_unicode_8z8z (const char * INPUT, char **
            OUTPUT, int FLAGS)
       INPUT: zero-terminated UTF-8 string.
  
       OUTPUT: pointer to newly allocated output UTF-8 string.
  
       FLAGS: an `Idna_flags' value, e.g., `IDNA_ALLOW_UNASSIGNED' or
       `IDNA_USE_STD3_ASCII_RULES'.
  
       Convert possibly ACE encoded domain name in UTF-8 format into a
       UTF-8 string.  The domain name may contain several labels,
       separated by dots.  The output buffer must be deallocated by the
       caller.
  
       *Return value:* Returns `IDNA_SUCCESS' on success, or error code.

Accroding to http://sourceforge.net/mailarchive/message.php?msg_id=30509057 ,
it is a bug of GNU libidn library that the incomplete "zero-terminated UTF-8
string." argument leading to read overrun.

Regards.



Below is result with libidn-1.18-2.el6.i686 .

address@hidden ~]$ cat idn.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <idna.h>

int main(int ragc, char *argv[])
{
        char *ptr = NULL;
        char *src = strdup("address@hidden");
        if (idna_to_unicode_8z8z(src, &ptr, 0) == IDNA_SUCCESS)
                free(ptr);
        free(src);
        return 0;
}
address@hidden ~]$ gcc -Wall -g idn.c -lidn
address@hidden ~]$ valgrind ./a.out
==1515== Memcheck, a memory error detector
==1515== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==1515== Using Valgrind-3.6.0 and LibVEX; rerun with -h for copyright info
==1515== Command: ./a.out
==1515==
==1515== Invalid read of size 1
==1515==    at 0x4035701: stringprep_utf8_to_ucs4 (in /lib/libidn.so.11.6.1)
==1515==    by 0x4037BD9: idna_to_unicode_8z4z (in /lib/libidn.so.11.6.1)
==1515==    by 0x4037C46: idna_to_unicode_8z8z (in /lib/libidn.so.11.6.1)
==1515==    by 0x80484C0: main (idn.c:10)
==1515==  Address 0x41fc03b is 1 bytes after a block of size 18 alloc'd
==1515==    at 0x402682F: malloc (vg_replace_malloc.c:236)
==1515==    by 0x40DE41F: strdup (in /lib/libc-2.12.so)
==1515==    by 0x80484A0: main (idn.c:9)
==1515==
==1515== Invalid read of size 1
==1515==    at 0x4035620: stringprep_utf8_to_ucs4 (in /lib/libidn.so.11.6.1)
==1515==    by 0x4037BD9: idna_to_unicode_8z4z (in /lib/libidn.so.11.6.1)
==1515==    by 0x4037C46: idna_to_unicode_8z8z (in /lib/libidn.so.11.6.1)
==1515==    by 0x80484C0: main (idn.c:10)
==1515==  Address 0x41fc03a is 0 bytes after a block of size 18 alloc'd
==1515==    at 0x402682F: malloc (vg_replace_malloc.c:236)
==1515==    by 0x40DE41F: strdup (in /lib/libc-2.12.so)
==1515==    by 0x80484A0: main (idn.c:9)
==1515==
==1515==
==1515== HEAP SUMMARY:
==1515==     in use at exit: 0 bytes in 0 blocks
==1515==   total heap usage: 14 allocs, 14 frees, 549 bytes allocated
==1515==
==1515== All heap blocks were freed -- no leaks are possible
==1515==
==1515== For counts of detected and suppressed errors, rerun with: -v
==1515== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 15 from 8)
address@hidden ~]$



Same result for libidn-1.24 built with default configure options.

address@hidden ~]$ valgrind ./a.out
==11642== Memcheck, a memory error detector
==11642== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==11642== Using Valgrind-3.6.0 and LibVEX; rerun with -h for copyright info
==11642== Command: ./a.out
==11642==
==11642== Invalid read of size 1
==11642==    at 0x4035598: stringprep_utf8_to_ucs4 (nfkc.c:399)
==11642==    by 0x40379F8: idna_to_unicode_8z4z (idna.c:715)
==11642==    by 0x4037A65: idna_to_unicode_8z8z (idna.c:745)
==11642==    by 0x80484C0: main (idn.c:10)
==11642==  Address 0x41fb03b is 1 bytes after a block of size 18 alloc'd
==11642==    at 0x402682F: malloc (vg_replace_malloc.c:236)
==11642==    by 0x40DD41F: strdup (in /lib/libc-2.12.so)
==11642==    by 0x80484A0: main (idn.c:9)
==11642==
==11642== Invalid read of size 1
==11642==    at 0x4035563: stringprep_utf8_to_ucs4 (nfkc.c:447)
==11642==    by 0x40379F8: idna_to_unicode_8z4z (idna.c:715)
==11642==    by 0x4037A65: idna_to_unicode_8z8z (idna.c:745)
==11642==    by 0x80484C0: main (idn.c:10)
==11642==  Address 0x41fb03a is 0 bytes after a block of size 18 alloc'd
==11642==    at 0x402682F: malloc (vg_replace_malloc.c:236)
==11642==    by 0x40DD41F: strdup (in /lib/libc-2.12.so)
==11642==    by 0x80484A0: main (idn.c:9)
==11642==
==11642==
==11642== HEAP SUMMARY:
==11642==     in use at exit: 0 bytes in 0 blocks
==11642==   total heap usage: 14 allocs, 14 frees, 549 bytes allocated
==11642==
==11642== All heap blocks were freed -- no leaks are possible
==11642==
==11642== For counts of detected and suppressed errors, rerun with: -v
==11642== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 15 from 8)

[Prev in Thread]

Current Thread

[Next in Thread]

Question regarding incomplete UTF-8 arguments., Tetsuo Handa <=

Prev by Date: idna_to_unicode_8z8z() takes a stroll through the heap
Previous by thread: idna_to_unicode_8z8z() takes a stroll through the heap
Index(es):
- Date
- Thread