touch-packages team mailing list archive

Thread
Date

[Bug 1397340] Re: Integer overflow when processing giant field values

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1397340@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Dec 2014 21:19:31 -0000
Reply-to: Bug 1397340 <1397340@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package whoopsie - 0.2.43

---------------
whoopsie (0.2.43) vivid; urgency=medium

  * Remove .crash file if we are unable to create a .uploaded file for it
    to prevent trying to upload the same crash file multiple times.
    (LP: #1392412)
  * Avoid buffer overflow when parsing reports. Thanks to John-Mark Bell for
    the patch. (LP: #1397340)
 -- Brian Murray <brian@xxxxxxxxxx>   Wed, 17 Dec 2014 16:17:33 -0800

** Changed in: whoopsie (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to whoopsie in Ubuntu.
https://bugs.launchpad.net/bugs/1397340

Title:
  Integer overflow when processing giant field values

Status in whoopsie package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu release: 12.04
  Package version: 0.1.33

  When parsing fields in a crash report file, whoopsie will reallocate
  the value buffer when appending continuation lines. The current length
  of the buffer is computed by pointer arithmetic and the result stored
  in a signed integer. If the field value length reaches 2GB, then this
  value will overflow, and become negative. This will then cause
  whoopsie itself to abort, as it tries to allocate a huge amount of
  memory.

  I would expect whoopsie to cope with such large input (which may be
  generated as the result of a memory-hungry process crashing and
  creating a very large compressed+base64-encoded CoreDump).

  By inspection, I see that this issue is still present in current
  development versions: http://bazaar.launchpad.net/~ubuntu-
  branches/ubuntu/vivid/whoopsie/vivid/view/head:/src/whoopsie.c#L402

  I've attached a patch (created against the 0.1.33 sources, but should
  apply with minimal issues against later versions), that resolves the
  immediate issue. There's a more general question about the sanity of
  loading the entire crash file into memory, too (particularly as the
  CoreDump is never used unless the server requests it).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1397340/+subscriptions

References

[Bug 1397340] [NEW] Integer overflow when processing giant field values
From: John-Mark Bell, 2014-11-28