This was found by OSS-Fuzz. This can be reproduced by running this input: `<uuid value="111111111111111111111111111111111111">` against the harness in https://github.com/google/oss-fuzz/blob/master/projects/bluez/fuzz_xml.c which just calls `sdp_xml_parse_record`. `sdp_xml_parse_uuid` checks that the length of the string is 36 (32 digits + 4 '-' characters) prior to calling `sdp_xml_parse_uuid128`. There's no check preventing this data from being 36 digits (with no "-"), which leads to a buffer overflow in sdp_xml_parse_uuid128. https://issues.oss-fuzz.com/issues/42534847 https://oss-fuzz.com/testcase-detail/5070205940531200 --- src/sdp-xml.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/sdp-xml.c b/src/sdp-xml.c index 5efa62ab8..2fa8f28a0 100644 --- a/src/sdp-xml.c +++ b/src/sdp-xml.c @@ -125,10 +125,16 @@ static sdp_data_t *sdp_xml_parse_uuid128(const char *data) buf[0] = data[i]; buf[1] = data[i + 1]; + if (j >= sizeof(val.data)) + return NULL; + val.data[j++] = strtoul(buf, 0, 16); i += 2; } + if (j != sizeof(val.data)) + return NULL; + return sdp_data_alloc(SDP_UUID128, &val); } -- 2.50.1.703.g449372360f-goog
