Dear libidn maintainers,
This program causes a crash for me with libidn 1.31:
"""
#include <idna.h>
int main() {
const char input[] = "\200bad.com";
char *output;
idna_to_unicode_8z8z(input, &output, 0);
return 0;
}
"""
idna_to_unicode_8z8z ought to return IDNA_ICONV_ERROR because the input
isn't valid UTF-8. However, it winds up calling free() with a junk
pointer as a parameter. This is because:
- in idna_to_unicode_8z8z, "char *ucs4" is uninitialised
- idna_to_unicode_8z8z calls idna_to_unicode_8z4z, which returns
IDNA_CONV_ERROR without initialising ucs4
- idna_to_unicode_8z8z then does "free(ucs4)" before checking the return
value from idna_to_unicode_8z4z
It looks like some of the other API functions use the same pattern (e.g.
..._8zlz), so it would be worth checking those as well.
This actually showed up for me as a crash in Courier's "maildrop" MDA
(http://www.courier-mta.org/maildrop/) -- if you feed it a message with
a From: line where the email address isn't valid UTF-8, it'll wind up
calling idna_to_unicode_8z8z on it and crashing as above.
Thanks,
--
Adam Sampson <[email protected]> <http://offog.org/>
_______________________________________________
Help-libidn mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/help-libidn
