packages/libical
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libical/libical-bugfix-Cap-the-number-of-parameters.patch
orange-snn 85564b60c5 bugfix in oss-fuzz
2020-03-10 17:16:46 +08:00

71 lines
2.3 KiB
Diff
Raw Blame History

From 97abaada05f20973a710e194ce7c91c80bf39fe6 Mon Sep 17 00:00:00 2001
From: orange-snn <songnannan2@huawei.com>
Date: Tue, 10 Mar 2020 16:44:19 +0800
Subject: [PATCH] Cap the number of parameters and properties to prevent
unbounded memory usage or hanging Alternate fix to #381.
---
src/libical/icalparser.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
index 5715036..416080d 100644
--- a/src/libical/icalparser.c
+++ b/src/libical/icalparser.c
@@ -46,6 +46,9 @@
#define TMP_BUF_SIZE 80
+#define MAXIMUM_ALLOWED_PARAMETERS 100
+#define MAXIMUM_ALLOWED_MULTIPLE_VALUES 500
+
struct icalparser_impl
{
int buffer_full; /* flag indicates that temp is smaller that
@@ -689,6 +692,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
{
char *str;
char *end;
+ int pcount = 0;
int vcount = 0;
icalproperty *prop;
icalproperty_kind prop_kind;
@@ -864,7 +868,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
/* Now, add any parameters to the last property */
- while (1) {
+ while (pcount < MAXIMUM_ALLOWED_PARAMETERS) {
if (*(end - 1) == ':') {
/* if the last separator was a ":" and the value is a
URL, icalparser_get_next_parameter will find the
@@ -1083,6 +1087,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
icalmemory_free_buffer(str);
str = NULL;
+ pcount++;
continue;
}
}
@@ -1092,7 +1097,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
tail = 0;
icalmemory_free_buffer(str);
str = NULL;
-
+ pcount++;
} else {
/* str is NULL */
break;
@@ -1109,7 +1114,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
parameter and add one part of the value to each clone */
vcount = 0;
- while (1) {
+ while (vcount < MAXIMUM_ALLOWED_MULTIPLE_VALUES) {
/* Only some properties can have multiple values. This list was taken
from rfc5545. Also added the x-properties, because the spec actually
says that commas should be escaped. For x-properties, other apps may
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink