invalid memory access in idna_to_ascii_8z

[Nikos Mavrogiannopoulos]

Hello Simon,
 Robert reported some invalid memory access in gnutls, and one I traced
it back to libidn. A reproducer is attached. The reproducer uses strings
on the heap because valgrind doesn't seem to detect such accesses on the
stack. 

regards,
Nikos


==623== Invalid read of size 1
==623==    at 0x4E38E7F: g_utf8_to_ucs4_fast (nfkc.c:399)
==623==    by 0x4E38E7F: stringprep_utf8_to_ucs4 (nfkc.c:1023)
==623==    by 0x4E3A7DE: idna_to_ascii_8z (idna.c:578)
==623==    by 0x4005FD: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623==  Address 0x541105f is 1 bytes after a block of size 30 alloc'd
==623==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==623==    by 0x50E99D9: strdup (strdup.c:42)
==623==    by 0x4005E0: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623== 
==623== Invalid read of size 1
==623==    at 0x4E38E34: g_utf8_to_ucs4_fast (nfkc.c:444)
==623==    by 0x4E38E34: stringprep_utf8_to_ucs4 (nfkc.c:1023)
==623==    by 0x4E3A7DE: idna_to_ascii_8z (idna.c:578)
==623==    by 0x4005FD: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623==  Address 0x541105e is 0 bytes after a block of size 30 alloc'd
==623==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==623==    by 0x50E99D9: strdup (strdup.c:42)
==623==    by 0x4005E0: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623== 
==623== Invalid read of size 1
==623==    at 0x4E38E7F: g_utf8_to_ucs4_fast (nfkc.c:399)
==623==    by 0x4E38E7F: stringprep_utf8_to_ucs4 (nfkc.c:1023)
==623==    by 0x4E3A7DE: idna_to_ascii_8z (idna.c:578)
==623==    by 0x400610: main (in /home/nmav/cvs/gnutls/lib/a.out)
==623==  Address 0x54110af is 0 bytes after a block of size 15 alloc'd
==623==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==623==    by 0x50E99D9: strdup (strdup.c:42)
==623==    by 0x4005ED: main (in /home/nmav/cvs/gnutls/lib/a.out)

rep.c
Description: Text Data