Closed
Bug 1275787
Opened 8 years ago
Closed 2 years ago
Libical attempting free on address which was not malloc()-ed
Categories
(Calendar :: Internal Components, defect)
Calendar
Internal Components
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bperry.volatile, Unassigned)
Details
Attachments
(1 file)
28.88 KB,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 Steps to reproduce: Attached are test cases used to crash libical 0.47 (exploiting the same bug but with different paths). However, I do not believe Thunderbird is vulnerable to this bug as it doesn't call icalparser_add_line as far as I can tell. http://mxr.mozilla.org/comm-central/search?string=icalparser_add_line This is only to file a bug report in pair with my other crashes which could be reached from thunderbird, and they should be on the record. It has more details on building libical with ASan for reproduction. (https://bugzilla.mozilla.org/show_bug.cgi?id=1275400) Actual results: An example stack trace AddressSanitizer: attempting free on address which was not malloc()-ed: 0x602000003670 in thread T0 #0 0x7fc8dbebe6aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa) #1 0x7fc8dbbedc62 in icalmemory_free_buffer (/root/tmp/libical-0.47/build/lib/libical.so.0+0x31c62) #2 0x7fc8dbbf13be in icalparser_add_line (/root/tmp/libical-0.47/build/lib/libical.so.0+0x353be) #3 0x400c6a in main (/root/tmp/libical-0.47/build/src/test/parser+0x400c6a) #4 0x7fc8db812a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #5 0x400ad8 in _start (/root/tmp/libical-0.47/build/src/test/parser+0x400ad8) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free ??:0 __interceptor_free Expected results: Shouldn't crash.
Comment 2•8 years ago
|
||
Same goes for this bug. See bug 1275400 comment 10.
Reporter | ||
Comment 3•8 years ago
|
||
Like I said, these were only against 0.47 and were reported simply because they were in the same version as was reportedly used in Thunderbird. I did not see them in latest.
Reporter | ||
Comment 4•8 years ago
|
||
I also don't believe this is worthy of a bug bounty. I am reporting this only for visibility since it seems to affect the version in use by Thunderbird.
Updated•8 years ago
|
Group: mail-core-security
Component: Untriaged → General
Product: Thunderbird → Calendar
Updated•8 years ago
|
Component: General → Internal Components
Comment 5•2 years ago
|
||
libical has now been removed - bug 1787097.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•