Skip to content
This repository has been archived by the owner on Sep 20, 2023. It is now read-only.

Segmentation fault on invalid input #17

Closed
hreinhardt opened this issue Jun 3, 2016 · 4 comments
Closed

Segmentation fault on invalid input #17

hreinhardt opened this issue Jun 3, 2016 · 4 comments

Comments

@hreinhardt
Copy link

Running the following program

import qualified Data.ByteString as B
import Data.ASN1.Encoding
import Data.ASN1.BinaryEncoding

main = do
    f <- B.readFile "data.txt"
    print $ decodeASN1Repr' DER f

on the attached file (data.txt) produces a segmentation fault on GHC 7.8.2 and 8.0.1 on Windows.
@hreinhardt hreinhardt mentioned this issue Jun 3, 2016
Merged
@enolan
Copy link

enolan commented Jun 4, 2016

Crashes on Linux too. I used afl-tmin and got a much smaller testcase.

enolan added a commit to enolan/hs-asn1 that referenced this issue Jun 6, 2016
@enolan
Check for overflow in getLength
2734638 
Fixes vincenthz#17.
@enolan
Copy link

enolan commented Jun 6, 2016

It's an integer overflow problem. I'll have a PR soon.

vincenthz added a commit that referenced this issue Jun 7, 2016
@vincenthz
asn1 parser: Stop dealing in unsafe{drop,head,..} just using simpler …
acd26de 
…splitAt and uncons.

related to #17
vincenthz added a commit that referenced this issue Jun 7, 2016
@vincenthz
asn1 parser: Stop dealing in unsafe{drop,head,..} just using simpler …
8a8d34b 
…splitAt and uncons

related to #17
enolan added a commit to enolan/hs-asn1 that referenced this issue Jun 7, 2016
@enolan
Check for negative lengths in ensure
f430952 
Removes the potential for getBytes to segfault with negative lengths. That's
what was happening in vincenthz#17.
enolan added a commit to enolan/hs-asn1 that referenced this issue Jun 7, 2016
@enolan
Add a regression test for vincenthz#17
fcb89b2
@vincenthz
Copy link
Owner

I added 8a8d34b to make the parser solid, it doesn't actually require such a fine tuning anyway, but re-reading the source after many years, I don't understand why ensure is not doing its expected job. is there some fundamental integer overflow somewhere else than the ASN1 parser ? it seems to do the job to at least fall the parsing with a parsing error, not a segfault !

@enolan: please let me know if you want to add anything to the repo, I'll cut a release ASAP provided it's all working (confirmation of doing the right thing is good too)

enolan added a commit to enolan/hs-asn1 that referenced this issue Jun 7, 2016
@enolan
Check for overflow in getLength
f7eb2c2 
Fixes vincenthz#17.
enolan added a commit to enolan/hs-asn1 that referenced this issue Jun 7, 2016
@enolan
Add a regression test for vincenthz#17
693ad8a
@vincenthz
Copy link
Owner

I think this has been fixed now

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@enolan @vincenthz @hreinhardt