xorl %eax, %eax

CVE-2009-0585: libsoup Integer Overflow

leave a comment »

This bug was disclosed along with a few more on GLib on 12 March 2009. Credits go to Diego Pettenò for finding those bugs. libsoup is a library which provides HTTP client/server routines for GNOME. Releases 2.x.x before 2.2.98 and 2.x before 2.24 are vulnerable to the following bug. Here is the code from 2.2.97:

3  * soup-misc.c: Miscellaneous functions
    ...
206 /**
207  * soup_base64_encode:
208  * @text: the binary data to encode.
209  * @len: the length of @text.
210  *
211  * Encode a sequence of binary data into it's Base-64 stringified
212  * representation.
213  *
214  * Return value: The Base-64 encoded string representing @text.
215  */
216 char *
217 soup_base64_encode (const char *text, int len)
218 {
219         unsigned char *out;
220         int state = 0, outlen,  save = 0;
221
222         out = g_malloc (len * 4 / 3 + 5);
223         outlen = soup_base64_encode_close ((const guchar *)text,
224                                            len,
225                                            FALSE,
226                                            out,
227                                            &state,
228                                            &save);
229         out[outlen] = '';
230         return (char *) out;
231 }


It’s kind of obvious… Integer len at line 222 where the allocation takes place can wrap around if it contains a large value, or since it is a signed integer a negative value which will be converted to unsigned by g_malloc(). This fairly simple integer overflow was patched like this:

         int state = 0, outlen,  save = 0;

-        out = g_malloc (len * 4 / 3 + 5);
+        if (len < 0)
+            g_error("%s: invalid Base64 encoding input length specified: %d",
+                G_STRLOC, len);
+
+        out = g_malloc ((len / 3 + 1) * 4 + 1);
         outlen = soup_base64_encode_close ((const guchar *)text,

Written by xorl

April 25, 2009 at 05:01

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s