[Mutt] #2885: Buffer overflows in mutt_gecos_name
#2885: Buffer overflows in mutt_gecos_name
{{{
--- muttlib.c.orig Thu Jun 8 13:51:03 2006
+++ muttlib.c Thu May 3 13:41:28 2007
@@ -532,16 +532,19 @@ char *mutt_gecos_name (char *dest, size_t destlen,
str
pwnl = strlen (pw->pw_name);
- for (idx = 0; dest[idx]; idx++)
+ for (idx = 0; dest[idx] && idx < destlen - 1; idx++)
{
if (dest[idx] == '&')
{
- memmove (&dest[idx + pwnl], &dest[idx + 1],
+ /* Don't move if destination is outside buffer. */
+ if (idx + pwnl < destlen)
+ memmove (&dest[idx + pwnl], &dest[idx + 1],
MAX(destlen - idx - pwnl - 1, 0));
memcpy (&dest[idx], pw->pw_name, MIN(destlen - idx - 1, pwnl));
dest[idx] = toupper ((unsigned char) dest[idx]);
}
}
+ dest[idx] = '\0';
return dest;
}
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2885>