[PATCH] Fix buffer overflow in mutt_FormatString()
Hi,
while debugging #2882 I found a buffer overflow in mutt_FormatString().
The 'count' variable counts how many bytes we have left for padding,
while in the affected line the code substracts the current column, i.e.
the string width so far, not it's byte size.
This makes mutt crash if the terminal width is larger than the
destination buffer and the part leading up to the padding contains
multibyte characters (because then column offset != byte offset).
The attached patch fixes it.
However, with it applied using padding to e.g. right-align the number of
hidden messages in a thread results in ugly screen output if the line
contains multibyte characters because for the buffer size of 256 the
width of these lines may differ. However, there's not much mutt can do
about it IMHO besides using larger buffers (I think finding the shortest
line in terms of width and then reformatting everything else is
speed-wise not acceptable). Still, minor display issues are better than
crashes and buffer overflows...
bye, Rocco
--
:wq!
diff --git a/muttlib.c b/muttlib.c
index ccfc869..c5c4ff4 100644
--- a/muttlib.c
+++ b/muttlib.c
@@ -1205,7 +1205,7 @@ void mutt_FormatString (char *dest, /*
output buffer */
count = (COLS < destlen ? COLS : destlen);
if (count > col)
{
- count -= col; /* how many columns left on this line */
+ count -= wlen; /* how many byte left for this line's buffer */
mutt_FormatString (buf, sizeof (buf), 0, src, callback, data, flags);
len = mutt_strlen (buf);
wid = mutt_strwidth (buf);