<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #2885: Buffer overflows in mutt_gecos_name



#2885: Buffer overflows in mutt_gecos_name

 {{{
 --- muttlib.c.orig      Thu Jun  8 13:51:03 2006
 +++ muttlib.c   Thu May  3 13:41:28 2007
 @@ -532,16 +532,19 @@ char *mutt_gecos_name (char *dest, size_t destlen,
 str

    pwnl = strlen (pw->pw_name);

 -  for (idx = 0; dest[idx]; idx++)
 +  for (idx = 0; dest[idx] && idx < destlen - 1; idx++)
    {
      if (dest[idx] == '&')
      {
 -      memmove (&dest[idx + pwnl], &dest[idx + 1],
 +      /* Don't move if destination is outside buffer. */
 +      if (idx + pwnl < destlen)
 +        memmove (&dest[idx + pwnl], &dest[idx + 1],
                MAX(destlen - idx - pwnl - 1, 0));
        memcpy (&dest[idx], pw->pw_name, MIN(destlen - idx - 1, pwnl));
        dest[idx] = toupper ((unsigned char) dest[idx]);
      }
    }
 +  dest[idx] = '\0';

    return dest;
  }
 }}}

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2885>