subject:"Bug#840771\: segfaults on valid certificate"

Bug#840771: segfaults on valid certificate

2016-10-19 Thread Dmitry Eremin-Solenikov

Package: dumpasn1
Followup-For: Bug #840771

I belive the patch you have provided is not full/correct. You pass a
pointer to a wide character, when the code expects to have a valid wide
string (ending with L'\0'). Please consider the attached patch instead.

-- 
With best wishes
Dmitry


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages dumpasn1 depends on:
ii  libc6  2.24-3

dumpasn1 recommends no packages.

dumpasn1 suggests no packages.

-- no debconf information
Description: Fix bug 840771
Author: Mathieu Malaterre 
Bug-Debian: https://bugs.debian.org/840771

Index: dumpasn1-20150808/dumpasn1.c
===
--- dumpasn1-20150808.orig/dumpasn1.c
+++ dumpasn1-20150808/dumpasn1.c
@@ -1362,7 +1362,7 @@ static int displayUnicode( const wchar_t
 #elif 1
 		/* This (and the "%ls" variant below) seem to be the least broken 
 		   options */
-		fprintf( output, "%lc", wCh );
+		fprintf( output, "%lc", wCh[0] );
 #elif 0
 		wchar_t wChString[ 2 ];
 
@@ -1885,13 +1885,13 @@ static void displayString( FILE *inFile,
 		if( strOption == STR_UTF8 && ( ch & 0x80 ) )
 			{
 			const int secondCh = getc( inFile );
-			wchar_t wCh;
+			wchar_t wCh[2] = { 0, 0 };
 
 			/* It's a multibyte UTF8 character, read it as a widechar */
 			if( ( ch & 0xE0 ) == 0xC0 )		/* 111x -> 110x */
 {
 /* 2-byte character in the range 0x80...0x7FF */
-wCh = ( ( ch & 0x1F ) << 6 ) | ( secondCh & 0x3F );
+wCh[0] = ( ( ch & 0x1F ) << 6 ) | ( secondCh & 0x3F );
 i++;		/* We've read 2 characters */
 fPos += 2;
 }
@@ -1902,12 +1902,12 @@ static void displayString( FILE *inFile,
 	const int thirdCh = getc( inFile );
 
 	/* 3-byte character in the range 0x800...0x */
-	wCh = ( ( ch & 0x1F ) << 12 ) | \
+	wCh[0] = ( ( ch & 0x1F ) << 12 ) | \
 		  ( ( secondCh & 0x3F ) << 6 ) | \
 		  ( thirdCh & 0x3F );
 	}
 else
-	wCh = '.';
+	wCh[0] = '.';
 i += 2;		/* We've read 3 characters */
 fPos += 3;
 }

Bug#840771: segfaults on valid certificate

2016-10-14 Thread Dmitry Eremin-Solenikov

Package: dumpasn1
Version: 20150808-1
Severity: normal

dumpasn1 segfaults on some certificates when printing Unicode strings.

E.g. you can try it with the certificate downloaded from
http://www.grfc.ru/upload/medialibrary/eec/016301.p7b

Valgrind backtrace:

 144   58:   SET {
 146   56: SEQUENCE {
 1483:   OBJECT IDENTIFIER streetAddress (2 5 4 9)
 153   49:   UTF8String
==3== Invalid read of size 4
==3==at 0x4ED2D19: wcsnlen (wcsnlen.c:31)
==3==by 0x4ED2556: wcsrtombs (wcsrtombs.c:104)
==3==by 0x4E6D0D0: wcstombs (wcstombs.c:34)
==3==by 0x402998: displayUnicode (dumpasn1.c:1325)
==3==by 0x403B46: displayString (dumpasn1.c:1914)
==3==by 0x405C58: printASN1object (dumpasn1.c:2823)
==3==by 0x406222: printAsn1 (dumpasn1.c:2974)
==3==by 0x404C86: printConstructed (dumpasn1.c:2475)
==3==by 0x405264: printASN1object (dumpasn1.c:2598)
==3==by 0x406222: printAsn1 (dumpasn1.c:2974)
==3==by 0x404C86: printConstructed (dumpasn1.c:2475)
==3==by 0x405264: printASN1object (dumpasn1.c:2598)
==3==  Address 0x414 is not stack'd, malloc'd or (recently) free'd
==3== 
==3== 
==3== Process terminating with default action of signal 11 (SIGSEGV)
==3==  Access not within mapped region at address 0x414
==3==at 0x4ED2D19: wcsnlen (wcsnlen.c:31)
==3==by 0x4ED2556: wcsrtombs (wcsrtombs.c:104)
==3==by 0x4E6D0D0: wcstombs (wcstombs.c:34)
==3==by 0x402998: displayUnicode (dumpasn1.c:1325)
==3==by 0x403B46: displayString (dumpasn1.c:1914)
==3==by 0x405C58: printASN1object (dumpasn1.c:2823)
==3==by 0x406222: printAsn1 (dumpasn1.c:2974)
==3==by 0x404C86: printConstructed (dumpasn1.c:2475)
==3==by 0x405264: printASN1object (dumpasn1.c:2598)
==3==by 0x406222: printAsn1 (dumpasn1.c:2974)
==3==by 0x404C86: printConstructed (dumpasn1.c:2475)
==3==by 0x405264: printASN1object (dumpasn1.c:2598)
==3==  If you believe this happened as a result of a stack
==3==  overflow in your program's main thread (unlikely but
==3==  possible), you can try to increase the size of the
==3==  main thread stack using the --main-stacksize= flag.
==3==  The main thread stack size used in this run was 8388608.



-- 
With best wishes
Dmitry


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages dumpasn1 depends on:
ii  libc6  2.24-3

dumpasn1 recommends no packages.

dumpasn1 suggests no packages.

-- no debconf information

Bug#840771: segfaults on valid certificate

Bug#840771: segfaults on valid certificate

2 matches

Site Navigation

Mail list logo

Footer information