Integer overflow when processing giant field values

Bug #1397340 reported by John-Mark Bell
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whoopsie (Ubuntu)
Fix Released
Medium
Brian Murray

Bug Description

Ubuntu release: 12.04
Package version: 0.1.33

When parsing fields in a crash report file, whoopsie will reallocate the value buffer when appending continuation lines. The current length of the buffer is computed by pointer arithmetic and the result stored in a signed integer. If the field value length reaches 2GB, then this value will overflow, and become negative. This will then cause whoopsie itself to abort, as it tries to allocate a huge amount of memory.

I would expect whoopsie to cope with such large input (which may be generated as the result of a memory-hungry process crashing and creating a very large compressed+base64-encoded CoreDump).

By inspection, I see that this issue is still present in current development versions: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/whoopsie/vivid/view/head:/src/whoopsie.c#L402

I've attached a patch (created against the 0.1.33 sources, but should apply with minimal issues against later versions), that resolves the immediate issue. There's a more general question about the sanity of loading the entire crash file into memory, too (particularly as the CoreDump is never used unless the server requests it).

Revision history for this message
John-Mark Bell (jmb202) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "whoopsie.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Brian Murray (brian-murray) wrote :

A likely candidate for the crash corresponding to this report is the following:

https://errors.ubuntu.com/problem/2b929ca4aff09a8714851de0c45279b036386a10

tags: added: trusty utopic vivid
Changed in whoopsie (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Brian Murray (brian-murray)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.43

---------------
whoopsie (0.2.43) vivid; urgency=medium

  * Remove .crash file if we are unable to create a .uploaded file for it
    to prevent trying to upload the same crash file multiple times.
    (LP: #1392412)
  * Avoid buffer overflow when parsing reports. Thanks to John-Mark Bell for
    the patch. (LP: #1397340)
 -- Brian Murray <email address hidden> Wed, 17 Dec 2014 16:17:33 -0800

Changed in whoopsie (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.