<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #3362: Off-by-one errors in rfc1524.c



#3362: Off-by-one errors in rfc1524.c
--------------------+-------------------------------------------------------
 Reporter:  jepler  |       Owner:  mutt-dev
     Type:  defect  |      Status:  new     
 Priority:  major   |   Milestone:          
Component:  MIME    |     Version:          
 Keywords:          |  
--------------------+-------------------------------------------------------
 I have found by inspection what appear to be off-by-one errors in
 rfc1524.c.  Line numbers from mutt 1.5.20:
 {{{
  63   char buf[LONG_STRING];
 ...
  71   while (command[x] && x<clen && y<sizeof(buf))
 ...
 111       buf[y++] = command[x++];
 112   }
 113   buf[y] = '\0';
 }}}
 It appears the loop can terminate with y==sizeof(buf), so that
 buf[LONG_STRING] is written at line 113.  This is an out-of-bounds access,
 because the highest valid index is buf[LONG_STRING-1].

 {{{
  82         char param[STRING];
 ...
  88         while (command[x] && command[x] != '}' && z<sizeof(param))
  89           param[z++] = command[x++];
  90         param[z] = '\0';
 }}}
 For similar reasons, line 90 can perform an out-of-bounds access on param.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3362>
Mutt <http://www.mutt.org/>
The Mutt mail user agent