Re: mutt/2033: buffer overflow in attachment decoding function
Synopsis: buffer overflow in attachment decoding function
**** Comment added by paul on Sun, 26 Mar 2006 01:41:22 +0100 ****
I haven't checked the source yet, but valgrind is inclined to agree that mutt
(or a library it uses) is doing something it shouldn't. Could be we're passing
in a bad length in some way.
==14752== Invalid read of size 4
==14752== at 0x1B8F4CA8: (within /lib/ld-2.3.5.so)
==14752== by 0x1B8EA24D: (within /lib/ld-2.3.5.so)
==14752== by 0x1BBA10AF: dl_open_worker (dl-open.c:259)
==14752== by 0x1B8EF105: (within /lib/ld-2.3.5.so)
==14752== by 0x1BBA19B8: _dl_open (dl-open.c:577)
==14752== by 0x1BBA2DBB: do_dlopen (dl-libc.c:80)
==14752== by 0x1B8EF105: (within /lib/ld-2.3.5.so)
==14752== by 0x1BBA2D70: dlerror_run (dl-libc.c:42)
==14752== by 0x1BBA2E7D: __libc_dlopen_mode (dl-libc.c:153)
==14752== by 0x1BAD6B29: __gconv_find_shlib (gconv_dl.c:117)
==14752== by 0x1BACED2C: find_derivation (gconv_db.c:256)
==14752== by 0x1BACF3D8: __gconv_find_transform (gconv_db.c:723)
==14752== Address 0x1BE39730 is 48 bytes inside a block of size 49 alloc'd
==14752== at 0x1B9008A2: malloc (vg_replace_malloc.c:149)
==14752== by 0x1BAD6BA5: __gconv_find_shlib (gconv_dl.c:89)
==14752== by 0x1BACED2C: find_derivation (gconv_db.c:256)
==14752== by 0x1BACF3D8: __gconv_find_transform (gconv_db.c:723)
==14752== by 0x1BACDEF2: __gconv_open (gconv_open.c:172)
==14752== by 0x1BACDB57: iconv_open (iconv_open.c:54)
==14752== by 0x80A8686: mutt_iconv_open (charset.c:332)
==14752== by 0x80A89F7: mutt_convert_string (charset.c:427)
==14752== by 0x809B9C2: rfc2047_decode (rfc2047.c:672)
==14752== by 0x809BAC3: rfc2047_decode_adrlist (rfc2047.c:774)
==14752== by 0x808EAA8: mutt_read_rfc822_header (parse.c:1415)
==14752== by 0x807C67C: mbox_parse_mailbox (mbox.c:299)