Bug 90784 - Out of bounds memory read on malformed input with desktop-file-validate
Summary: Out of bounds memory read on malformed input with desktop-file-validate
Status: RESOLVED DUPLICATE of bug 94303
Alias: None
Product: desktop-file-utils
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Hans Petter Jansson
QA Contact:
URL:
Whiteboard:
Keywords:
: 90783 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-05-30 13:28 UTC by Hanno Böck
Modified: 2016-05-12 18:53 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
.desktop file triggering out of bounds read (22 bytes, text/plain)
2015-05-30 13:28 UTC, Hanno Böck 		Details
full address sanitizer debugging output (3.17 KB, text/plain)
2015-05-30 13:29 UTC, Hanno Böck 		Details
View All

Description Hanno Böck 2015-05-30 13:28:33 UTC 
Using desktop-file-validate on the attached file will cause an out of bounds memory read. This can be seen by compiling with address sanitizer (CFLAGS="-fsanitize=address") or with valgrind.

Here's the content of the file:
[Desktop Entry]
Exec=\

Seems the parsing of the backslash doesn't consider the case when the line or file ends.

This is the relevant part of the output of address sanitizer:
==3905==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee92 at pc 0x0000004ea227 bp 0x7ffd88d0cc50 sp 0x7ffd88d0cc48
READ of size 1 at 0x60200000ee92 thread T0
    #0 0x4ea226 in handle_exec_key /mnt/ram/desktop-file-utils-0.22/src/validate.c:1229:10
    #1 0x4e4c06 in handle_desktop_exec_key /mnt/ram/desktop-file-utils-0.22/src/validate.c:1397:10
    #2 0x4ed190 in validate_known_key /mnt/ram/desktop-file-utils-0.22/src/validate.c:2248:12
    #3 0x4ec80c in validate_action_key /mnt/ram/desktop-file-utils-0.22/src/validate.c:2284:10
    #4 0x4ec80c in validate_keys_for_current_group /mnt/ram/desktop-file-utils-0.22/src/validate.c:2376
    #5 0x4e19cb in validate_flush_parse_buffer /mnt/ram/desktop-file-utils-0.22/src/validate.c:2945:5
    #6 0x4e19cb in validate_parse_from_fd /mnt/ram/desktop-file-utils-0.22/src/validate.c:2993
    #7 0x4e19cb in validate_load_and_parse /mnt/ram/desktop-file-utils-0.22/src/validate.c:3011
    #8 0x4e19cb in desktop_file_validate /mnt/ram/desktop-file-utils-0.22/src/validate.c:3078
    #9 0x4ee9da in main /mnt/ram/desktop-file-utils-0.22/src/validator.c:81:17
    #10 0x7ff2f5906f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #11 0x4379d6 in _start (/mnt/ram/desktop-file-utils-0.22/src/desktop-file-validate+0x4379d6)

I'll attach the full output. This issue was found with the fuzzing tool american fuzzy lop.
Comment 1 Hanno Böck 2015-05-30 13:28:58 UTC 
Created attachment 116174 [details]
.desktop file triggering out of bounds read
Comment 2 Hanno Böck 2015-05-30 13:29:19 UTC 
Created attachment 116175 [details]
full address sanitizer debugging output
Comment 3 Vincent Untz 2015-09-18 09:50:43 UTC 
Sorry for the noise, reassigning to new maintainer.
Comment 4 Hanno Böck 2016-01-03 16:43:38 UTC 
*** Bug 90783 has been marked as a duplicate of this bug. ***
Comment 5 Hans Petter Jansson 2016-05-12 18:53:10 UTC 
Thank you, Hanno -- I didn't realize you'd already filed this, so I followed up in bug 94303 instead, of which I will now mark this as a duplicate.

*** This bug has been marked as a duplicate of bug 94303 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.