Closed Bug 1949150 Opened 1 year ago Closed 11 months ago

NULL-dereference in nss_cms_decoder_notify

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mdauer, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

clusterfuzz-testcase-smime-4789473976320000
130 bytes, application/octet-stream
Details

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/4789473976320000

Details

The null pointer dereference occurs here in nss_cms_decoder_notify for cinfo->rawContent :

            if (after && dest == &(cinfo->rawContent)) {
                /* we're right after of the data */
                if (nss_cms_after_data(p7dcx) != SECSuccess)
                    p7dcx->error = PORT_GetError();

                /* we don't need to see the contents anymore */
                SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
            }

cinfo is assigned earlier the return value of NSS_CMSContent_GetContentInfo:

           cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer,
                                                  p7dcx->type);

and NSS_CMSContent_GetContentInfo returns NULL if p7dcx->content.pointer is NULL which seems to be the case we are hitting here.

To reproduce, perform the following steps:

  1. Build NSS with ./build.sh -c --fuzz --disable-tests
  2. Run /path/to/dist/Debug/bin/nssfuzz-smime /path/to/testcase

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)

This was fixed in Bug 1949145: https://hg-edge.mozilla.org/projects/nss/rev/b4e99b13cbb6219a84dce0903a0063f94dc55c79

Status: NEW → RESOLVED
Closed: 11 months ago
Flags: needinfo?(bbeurdouche)
Resolution: --- → FIXED
Blocks: nss-fuzzing-bugs
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: