<<< Date Index >>>     <<< Thread Index >>>

Re: Fwd: [Full-disclosure] mutt buffer overflow



On Thu, Aug 18, 2005 at 04:00:47PM -0400, Derek Martin wrote:

>  Can you reproduce this if you recompile libiconv/gettext/mutt?
>  I reported that bug on Jul 12, but in fact it only happened with
> libiconv/gettext compiled against an OpenBSD libc before the mb*() changes,
> but then running libc 38.2.
>  An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox

For what it's worth, I've just checked, and I can't get *l to overflow on
either the original mbox or the follow-up. It hits 1000 several times, but
it never goes over. Likewise, valgrind is perfectly happy with this.

(It's less happy with the fact we leak relatively large amounts of memory,
but hey...)

In addition, in the xbit conversion function there's a specific check
against sizeof(bufi). I haven't checked the others.

Having said that, it's not obvious to me exactly what convert_to_state is
doing. Why is there a memmove at the end, for example, when it looks like
the buffer pointer won't actually be changed?

-- 
Paul

Attachment: signature.asc
Description: Digital signature