On Thu, Aug 18, 2005 at 04:00:47PM -0400, Derek Martin wrote: > Can you reproduce this if you recompile libiconv/gettext/mutt? > I reported that bug on Jul 12, but in fact it only happened with > libiconv/gettext compiled against an OpenBSD libc before the mb*() changes, > but then running libc 38.2. > An easier way to trigger this is ftp://ftp.00f.net/misc/mutt-crash-poc.mbox For what it's worth, I've just checked, and I can't get *l to overflow on either the original mbox or the follow-up. It hits 1000 several times, but it never goes over. Likewise, valgrind is perfectly happy with this. (It's less happy with the fact we leak relatively large amounts of memory, but hey...) In addition, in the xbit conversion function there's a specific check against sizeof(bufi). I haven't checked the others. Having said that, it's not obvious to me exactly what convert_to_state is doing. Why is there a memmove at the end, for example, when it looks like the buffer pointer won't actually be changed? -- Paul
Attachment:
signature.asc
Description: Digital signature