[Mutt] #3362: Off-by-one errors in rfc1524.c
#3362: Off-by-one errors in rfc1524.c
--------------------+-------------------------------------------------------
Reporter: jepler | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: MIME | Version:
Keywords: |
--------------------+-------------------------------------------------------
I have found by inspection what appear to be off-by-one errors in
rfc1524.c. Line numbers from mutt 1.5.20:
{{{
63 char buf[LONG_STRING];
...
71 while (command[x] && x<clen && y<sizeof(buf))
...
111 buf[y++] = command[x++];
112 }
113 buf[y] = '\0';
}}}
It appears the loop can terminate with y==sizeof(buf), so that
buf[LONG_STRING] is written at line 113. This is an out-of-bounds access,
because the highest valid index is buf[LONG_STRING-1].
{{{
82 char param[STRING];
...
88 while (command[x] && command[x] != '}' && z<sizeof(param))
89 param[z++] = command[x++];
90 param[z] = '\0';
}}}
For similar reasons, line 90 can perform an out-of-bounds access on param.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3362>
Mutt <http://www.mutt.org/>
The Mutt mail user agent