[#YWH-PGM8724-145] S-expression octal escapes wrap instead of rejecting out-of-range values (Integer overflow) (#1222) · Issues · sequoia-pgp / sequoia

[#YWH-PGM8724-145] S-expression octal escapes wrap instead of rejecting out-of-range values (Integer overflow)

## Description The IPC S-expression parser blindly folds three-octet escapes into a single byte using unchecked left shifts.【F:ipc/src/sexp/parse/grammar.lalrpop†L228-L235】 When the first octal digit exceeds `3`, the intermediate value overflows the `u8` arithmetic in release builds, effectively taking the result modulo 256. Instead of rejecting inputs such as `\400` (octal 256) as invalid per the transport encoding rules, the parser emits a NUL byte. Attackers who control the S-expression transport can therefore smuggle embedded NULs or other wrapped values through supposedly canonical encodings. Because the parser feeds directly into higher-level decrypt/sign flows,【F:ipc/src/sexp.rs†L60-L167】 the truncation can bypass validation routines that expect the lexer to reject non-byte escapes and can create logic bugs when strings are later interpreted as ASCII command names or length-prefixed fields. The following proof-of-concept shows the wrap-around in action by parsing a basic-transport string containing `\400` and asserting that the resulting byte sequence silently contains a NUL save to `/sequoia/ipc/examples/octal.rs` and run via `cargo run --no-default-features --features "crypto-rust,allow-experimental-crypto,allow-variable-time-crypto" --example octal` ```rust use sequoia_ipc::sexp::Sexp; fn main() -> anyhow::Result<()> { let sexp = Sexp::from_bytes(br#""\400A""#)?; let bytes = match sexp { Sexp::String(s) => s.to_bytes().to_vec(), _ => unreachable!(), }; assert_eq!(bytes, b"\0A"); println!("{:?}", bytes); Ok(()) } ``` Running the snippet prints `[0, 65]`, demonstrating that the escape overflow wraps to `0x00` instead of raising an error. Any downstream code that assumes canonical octal escapes are bounded to `0o000..=0o377` can be tricked into processing injected NULs or other wrapped bytes. ![image.png](/uploads/756f49e7d6edfa7553af87dfeb295b73/image.png){width="1437" height="321"} ## Severity High Justification: attacker-controlled S-expression transport can inject NULs or other wrapped bytes that bypass higher-level validation and feed directly into decrypt/sign and string-parsing logic. This can cause logic/authorization bypasses, malformed length-prefixed parsing, and corruption of cryptographic or command semantics. The bug is trivially reachable from an untrusted input channel and can produce high-impact outcomes (integrity/authorization bypasss, unexpected control-flow or parsing errors). Last commint hash \`05e6707ad2c68fa52a30c3c9a21d54dc00089919\`

issue