Hi, The documentation for the stringprep() function states:
"[I]ndicate how large the buffer holding the string is. This function will not _read_ or write to characters outside that size." Looking at the source, this is clearly not true: the maxlen argument to stringprep() is only used at the end to check whether the resulting string fits in the buffer. The stringprep_utf8_to_ucs4() call is not restricted to stay within any limits. This means that, if an attacker is able to inject invalid UTF-8 into the input buffer used for stringprep(), the lack of error checking by stringprep_utf8_to_ucs4() can be used to skip over the actual terminating NULL-byte, causing he stringprep call to read memory past the buffer it was supposed to not read outside of. Sure, this is the application's fault for not properly veryfing the input is UTF-8, but the mismatch between the documentation and the function makes this worse. Best regards, Thijs Alkemade
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Help-libidn mailing list Help-libidn@gnu.org https://lists.gnu.org/mailman/listinfo/help-libidn