Panic when decoding an invalid UTCTime #27

nmathewson · 2021-11-14T14:37:35Z

Hello, I hope this is the right place to report this; I didn't find any documentation for a preferred method for reporting security issues.

The following code panics when trying to parse an invalid UTCTime object:

fn main() {
    let input =  [55, 13, 13, 133, 13, 13, 50, 13, 13, 133, 13, 13, 50, 13, 133];
    let output = simple_asn1::from_der(&input);
    println!("{:?}", output);
}

The panic occurs because of these line in lib.rs:

                let v = String::from_iter(body.iter().map(|x| *x as char));
                let y = &v[0..2];

If the string is constructed in such a way that the first two bytes do not end on a character boundary, the slice operation will panic.

Found by fuzzing a downstream library.

I'll submit a patch ASAP.

The text was updated successfully, but these errors were encountered:

When slicing a string, you get a panic if you do so at any point other than at a character boundary. This happened in the implementation of UTCTime parsing. This bug was introduced in bc156c3, and appears to affect only version 0.6.0. I've tried using the clippy::string_slice lint to confirm that there are not any other string slices in this code. Fixes bug acw#27. Found via fuzzing.

nmathewson mentioned this issue Nov 14, 2021

[security] Fix a panic from an unchecked string slice. #28

Merged

acw closed this as completed Nov 15, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic when decoding an invalid UTCTime #27

Panic when decoding an invalid UTCTime #27

nmathewson commented Nov 14, 2021 •

edited

Loading

Panic when decoding an invalid UTCTime #27

Panic when decoding an invalid UTCTime #27

Comments

nmathewson commented Nov 14, 2021 • edited Loading

nmathewson commented Nov 14, 2021 •

edited

Loading