Project

General

Profile

Actions

Bug #12374

closed

Resolve an overflow with the Boost spirit grammar implementation for message resource plurals

Added by Matthias Van Ceulebroeck 11 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
01/31/2024
Due date:
% Done:

0%

Estimated time:

Description

The string that is added as the parameter for WMessageResource::resolvePluralKey, is evaluated by a grammar written with Boost spirit.
This lead to an issue noticed by OSS-Fuzz. While this is not a reasonable attack vector, it can potentially lead to crashes if a developer makes a mistake. While this mistake is likely to be noticed during development, there is a possibility of a typo causing side-effects that should not happen.

There is the potential of a stackoverflow here, when Boost spirit is allowed to recursively keep going without a depth limitation.


Related issues 2 (1 open1 closed)

Related to Bug #12352: Resolve an issue with the Boost spirit grammar implementation for message resource pluralsClosedMatthias Van Ceulebroeck01/24/2024

Actions
Related to Improvements #12384: Make the Boost::spirit parser for WMessageResources plurals more robustNew02/05/2024

Actions
Actions #1

Updated by Matthias Van Ceulebroeck 11 months ago

  • Related to Bug #12352: Resolve an issue with the Boost spirit grammar implementation for message resource plurals added
Actions #2

Updated by Yoika Ghysens 11 months ago

  • Status changed from InProgress to Review
  • Assignee changed from Matthias Van Ceulebroeck to Yoika Ghysens
Actions #3

Updated by Matthias Van Ceulebroeck 11 months ago

  • Related to Improvements #12384: Make the Boost::spirit parser for WMessageResources plurals more robust added
Actions #4

Updated by Matthias Van Ceulebroeck 11 months ago

  • Status changed from Review to Implemented @Emweb
  • Assignee changed from Yoika Ghysens to Matthias Van Ceulebroeck
Actions #5

Updated by Matthias Van Ceulebroeck 11 months ago

  • Status changed from Implemented @Emweb to Closed
Actions

Also available in: Atom PDF