[Mutt] #2980: url.c:url_parse_mailto: writes past buffer end
#2980: url.c:url_parse_mailto: writes past buffer end
{{{
----- Forwarded message from Lionel Elie Mamane <lionel@xxxxxxxxx> -----
Date: Sat, 26 May 2007 22:48:06 +0200
From: Lionel Elie Mamane <lionel@xxxxxxxxx>
Subject: Bug#426158: mutt: writes past buffer end
Mutt, in its parsing of "mailto:" URLs, in some situations writes
after the end of a fixed-size buffer. I'm not sure it is exploitable,
because the data being written is not attacker-controlled (only a null
character), but I'd rather someone more expert than me at security
took a look at it.
It happens in file url.c, function url_parse_mailto, in the else block
of the very last "if" of the file:
if (!ascii_strcasecmp (tag, "body"))
{
if (body)
mutt_str_replace (body, value);
}
else
{
taglen = strlen (tag);
/* mutt_parse_rfc822_line makes some assumptions */
snprintf (scratch, sizeof (scratch), "%s: %s", tag, value);
scratch[taglen] = '\0';
value = &scratch[taglen+1];
SKIPWS (value);
mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last);
}
scratch is declared like that:
char scratch[HUGE_STRING];
where (in lib.h):
# define HUGE_STRING 5120
The line
scratch[taglen] = '\0';
will write past the end of "scratch". To trigger that, pass as
argument to mutt:
mailto:user@xxxxxxxxxxx?Here_a_string_in_URL_percent_encoded_format_that_is_longer_than_5120_characters=foo
I propose to add:
if (taglen > sizeof (scratch))
taglen = sizeof (scratch) - 2
as a safety.
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2980>