<<< Date Index >>>     <<< Thread Index >>>

[PATCH] Fix buffer overflow in mutt_FormatString()



Hi,

while debugging #2882 I found a buffer overflow in mutt_FormatString().

The 'count' variable counts how many bytes we have left for padding, while in the affected line the code substracts the current column, i.e. the string width so far, not it's byte size.

This makes mutt crash if the terminal width is larger than the destination buffer and the part leading up to the padding contains multibyte characters (because then column offset != byte offset).

The attached patch fixes it.

However, with it applied using padding to e.g. right-align the number of hidden messages in a thread results in ugly screen output if the line contains multibyte characters because for the buffer size of 256 the width of these lines may differ. However, there's not much mutt can do about it IMHO besides using larger buffers (I think finding the shortest line in terms of width and then reformatting everything else is speed-wise not acceptable). Still, minor display issues are better than crashes and buffer overflows...

  bye, Rocco
--
:wq!
diff --git a/muttlib.c b/muttlib.c
index ccfc869..c5c4ff4 100644
--- a/muttlib.c
+++ b/muttlib.c
@@ -1205,7 +1205,7 @@ void mutt_FormatString (char *dest,               /* 
output buffer */
        count = (COLS < destlen ? COLS : destlen);
        if (count > col)
        {
-         count -= col; /* how many columns left on this line */
+         count -= wlen; /* how many byte left for this line's buffer */
          mutt_FormatString (buf, sizeof (buf), 0, src, callback, data, flags);
          len = mutt_strlen (buf);
          wid = mutt_strwidth (buf);