(CVE-2018-12910) soup-cookie-jar.c out of bound read
This is a OOB read bug in libsoup
Source code : soup-cookie-jar.c line 318.
domain = cur = g_strdup_printf (".%s", uri->host); <======== this bug only happens when uri->host is an empty string
next_domain = domain + 1; <======== this points to the string terminator:
do {
new_head = domain_cookies = g_hash_table_lookup (priv->domains, cur);
while (domain_cookies) {
GSList *next = domain_cookies->next;
SoupCookie *cookie = domain_cookies->data;
if (cookie->expires && soup_date_is_past (cookie->expires)) {
cookies_to_remove = g_slist_append (cookies_to_remove,
cookie);
new_head = g_slist_delete_link (new_head, domain_cookies);
g_hash_table_insert (priv->domains,
g_strdup (cur),
new_head);
} else if (soup_cookie_applies_to_uri (cookie, uri) &&
(for_http || !cookie->http_only))
cookies = g_slist_append (cookies, copy_cookies ? soup_cookie_copy (cookie) : cookie);
domain_cookies = next;
}
cur = next_domain;
if (cur)
next_domain = strchr (cur + 1, '.'); <======== cur+1 will be an oob pointer:
} while (cur);
we may use this bug to access the cookies from another domain by forge a string with another domain's name on the OOB location.test.html
Edited by Michael Catanzaro