taskwarrior icon indicating copy to clipboard operation
taskwarrior copied to clipboard
verified publisher icon GothenburgBitFactory

[TW-1926] pending.data parsing can end up in endless loop on malicious input

Open taskwarrior opened this issue 7 years ago • 4 comments

Johannes Wienke on 2017-08-14T19:29:44Z says:

I did some fuzzing with afl for the data format used for pending.data etc. I have found a set of files that make the parser for these files end up in an endless loop, somehow involving the class Pig.

I received these results with a simple test binary with the following code:

  {code:java}

  1. include
  2. include "TDB2.h"
  3. include <Context.h> Context context; int main(int argc, char *argv[]) { TF2 tasks; try { tasks.target(std::string(argv[1])); tasks.get_tasks(); } catch (...) { } return 0; } {code}  

taskwarrior avatar Feb 14 '18 21:02 taskwarrior

Migrated metadata:

Created: 2017-08-14T19:29:44Z
Modified: 2017-10-12T03:22:23Z

taskwarrior avatar Feb 14 '18 21:02 taskwarrior

Johannes Wienke on 2017-08-14T19:30:25Z says:

Yikes, why is Ctrl+Enter submitting the issue... Anyway, attached are the files that result in this behavior. Just put one of them in a fresh TASKDATA folder and rename it to pending.data, afterwards start task to reproduce the problem or just use the test program I have mentioned above with the file as the first argument.

taskwarrior avatar Feb 14 '18 21:02 taskwarrior

Paul Beckingham on 2017-10-12T03:22:23Z says:

Thank you.

taskwarrior avatar Feb 14 '18 21:02 taskwarrior

TW-1926_hangs.tar.gz

pbeckingham avatar Feb 25 '18 16:02 pbeckingham

No longer using TDB2, so no longer an issue.

djmitche avatar May 27 '24 21:05 djmitche