[PATCH] Fix buffer overflow in mutt_FormatString()

[Rocco Rutte <pdmef@xxxxxxx>]

Hi,

while debugging #2882 I found a buffer overflow in mutt_FormatString().

The 'count' variable counts how many bytes we have left for padding, 
while in the affected line the code substracts the current column, i.e. 
the string width so far, not it's byte size.

This makes mutt crash if the terminal width is larger than the 
destination buffer and the part leading up to the padding contains 
multibyte characters (because then column offset != byte offset).

The attached patch fixes it.

However, with it applied using padding to e.g. right-align the number of 
hidden messages in a thread results in ugly screen output if the line 
contains multibyte characters because for the buffer size of 256 the 
width of these lines may differ. However, there's not much mutt can do 
about it IMHO besides using larger buffers (I think finding the shortest 
line in terms of width and then reformatting everything else is 
speed-wise not acceptable). Still, minor display issues are better than 
crashes and buffer overflows...

  bye, Rocco
--
:wq!

diff --git a/muttlib.c b/muttlib.c
index ccfc869..c5c4ff4 100644
--- a/muttlib.c
+++ b/muttlib.c
@@ -1205,7 +1205,7 @@ void mutt_FormatString (char *dest,               /* 
output buffer */
        count = (COLS < destlen ? COLS : destlen);
        if (count > col)
        {
-         count -= col; /* how many columns left on this line */
+         count -= wlen; /* how many byte left for this line's buffer */
          mutt_FormatString (buf, sizeof (buf), 0, src, callback, data, flags);
          len = mutt_strlen (buf);
          wid = mutt_strwidth (buf);