commit e7667dd: [Minor] Fix buffer overflow due to libicu super safe macros

Vsevolod Stakhov vsevolod at highsecure.ru
Tue May 18 11:49:04 UTC 2021


Author: Vsevolod Stakhov
Date: 2021-05-18 12:43:22 +0100
URL: https://github.com/rspamd/rspamd/commit/e7667dd0f6b64748e0d3d14158733f119893d631 (HEAD -> master)

[Minor] Fix buffer overflow due to libicu super safe macros

---
 src/libutil/cxx/utf8_util.cxx | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/libutil/cxx/utf8_util.cxx b/src/libutil/cxx/utf8_util.cxx
index 337961f2b..cf71ae2ae 100644
--- a/src/libutil/cxx/utf8_util.cxx
+++ b/src/libutil/cxx/utf8_util.cxx
@@ -136,6 +136,12 @@ rspamd_normalise_unicode_inplace(char *start, size_t *len)
 		size_t i = 0;
 
 		while(it.hasNext()) {
+			/* libicu is very 'special' if it comes to 'safe' macro */
+			if (i >= *len) {
+				ret |= RSPAMD_UNICODE_NORM_ERROR;
+				break;
+			}
+
 			auto uc = it.next32PostInc();
 
 			if (zw_spaces.contains(uc)) {
@@ -143,12 +149,15 @@ rspamd_normalise_unicode_inplace(char *start, size_t *len)
 			}
 			else {
 				UBool err = 0;
+
+				if (uc == 0xFFFD) {
+					ret |= RSPAMD_UNICODE_NORM_UNNORMAL;
+				}
 				U8_APPEND((uint8_t*)start, i, *len, uc, err);
 
 				if (err) {
-					ret = RSPAMD_UNICODE_NORM_ERROR;
-
-					return i;
+					ret |= RSPAMD_UNICODE_NORM_ERROR;
+					break;
 				}
 			}
 		}
@@ -187,6 +196,9 @@ TEST_SUITE("utf8 utils") {
 				/* Same with zw spaces */
 				{"13\u200C_\u0020\u0308\u0301\u038e\u03ab\u200D", "13_ ̈́ΎΫ",
 	 							RSPAMD_UNICODE_NORM_UNNORMAL|RSPAMD_UNICODE_NORM_ZERO_SPACES},
+				/* Buffer overflow case */
+				{"u\xC2\xC2\xC2\xC2\xC2\xC2""abcdef""abcdef", "u������",
+	 							RSPAMD_UNICODE_NORM_UNNORMAL|RSPAMD_UNICODE_NORM_ERROR},
 		};
 
 		for (const auto &c : cases) {


More information about the Commits mailing list