Set a maximum length per line before calling icalparser_add_line This provides a hard limit on parsing to prevent unbounded memory usage or hanging when expanding parameters or properties. RFC 5545 says lines should not exceed 75 octets, so this still provides a pretty large buffer for files to be non-conformant and still parse successfully. oss-fuzz issue 14180, 14171, and 14591.

1 files changed, 10 insertions, 1 deletions

diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
index 41b95a2a..91996b1b 100644
--- a/src/libical/icalparser.c
+++ b/src/libical/icalparser.c
@@ -45,6 +45,7 @@
 #include <stdlib.h>
 
 #define TMP_BUF_SIZE 80
+#define MAX_LINE_LENGTH 8192 /* the maximum number of chars per parser line */
 
 struct icalparser_impl
 {
@@ -641,7 +642,15 @@ icalcomponent *icalparser_parse(icalparser *parser,
     do {
         line = icalparser_get_line(parser, line_gen_func);
 
-        if ((c = icalparser_add_line(parser, line)) != 0) {
+        if (line != 0 && strnlen(line, MAX_LINE_LENGTH) >= MAX_LINE_LENGTH) {
+            // Encountered a line that is longer than is reasonable
+            // RFC 5545 Section 3.1 says lines should not be more than 75 octets
+            // A large maximum length allows for lenient parsing but also prevents unbounded memory usage
+            // when parsing intentionally malformed data
+            icalerror_set_errno(ICAL_MALFORMEDDATA_ERROR);
+            icalmemory_free_buffer(line);
+            line = 0;
+        } else if ((c = icalparser_add_line(parser, line)) != 0) {
 
             if (icalcomponent_get_parent(c) != 0) {
                 /* This is bad news... assert? */