Reset the parser level to 0 when encountering a line with END before BEGIN Fixes memory leaks caused by the parser behaving incorrectly when the level is negative. oss-fuzz issue 14480, 14151, 14152, 14153, 14155.

author: Kent Sutherland <git@ksuther.com> 2019-05-11 19:59:03 +0000
committer: Allen Winter <allen.winter@kdab.com> 2019-05-12 08:56:54 -0400
commit: 508872732426ce653fd8fe3a7253efe769894381 (patch)
tree: 850e87d25852ee5c97f7e5ac12f62e1296de6fbf
parent: e9eb4c1253be8130fcbe3b248147a1be40af7437 (diff)
download: libical-git-508872732426ce653fd8fe3a7253efe769894381.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
index 57150360..41b95a2a 100644
--- a/src/libical/icalparser.c
+++ b/src/libical/icalparser.c
@@ -783,8 +783,15 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
         icalmemory_free_buffer(str);
         str = NULL;
 
-        /* Return the component if we are back to the 0th level */
-        if (parser->level == 0) {
+        if (parser->level < 0) {
+            // Encountered an END before any BEGIN, this must be invalid data
+            icalerror_warn("Encountered END before BEGIN");
+
+            parser->state = ICALPARSER_ERROR;
+            parser->level = 0;
+            return 0;
+        } else if (parser->level == 0) {
+            /* Return the component if we are back to the 0th level */
             icalcomponent *rtrn;
 
             if (pvl_count(parser->components) != 0) {
author	Kent Sutherland <git@ksuther.com>	2019-05-11 19:59:03 +0000
committer	Allen Winter <allen.winter@kdab.com>	2019-05-12 08:56:54 -0400
commit	508872732426ce653fd8fe3a7253efe769894381 (patch)
tree	850e87d25852ee5c97f7e5ac12f62e1296de6fbf
parent	e9eb4c1253be8130fcbe3b248147a1be40af7437 (diff)
download	libical-git-508872732426ce653fd8fe3a7253efe769894381.tar.gz