Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id B55F540AB25 for ; Wed, 19 May 2010 01:55:13 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7FNIOZTSrT6 for ; Wed, 19 May 2010 01:54:59 -0700 (PDT) Received: from mail-ew0-f213.google.com (mail-ew0-f213.google.com [209.85.219.213]) by olra.theworths.org (Postfix) with ESMTP id 6665B409DF6 for ; Wed, 19 May 2010 01:53:48 -0700 (PDT) Received: by mail-ew0-f213.google.com with SMTP id 5so1814160ewy.0 for ; Wed, 19 May 2010 01:53:48 -0700 (PDT) Received: by 10.213.63.75 with SMTP id a11mr3777267ebi.9.1274259228012; Wed, 19 May 2010 01:53:48 -0700 (PDT) Received: from ut.hh.sledj.net (host83-217-165-81.dsl.vispa.com [83.217.165.81]) by mx.google.com with ESMTPS id 16sm3515040ewy.15.2010.05.19.01.53.44 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 19 May 2010 01:53:45 -0700 (PDT) Received: by ut.hh.sledj.net (Postfix, from userid 1000) id 2898259407E; Wed, 19 May 2010 08:03:45 +0100 (BST) From: David Edmondson To: notmuch@notmuchmail.org Subject: [PATCH 02/13] notmuch: Fix off-by-one errors if a header is >200 characters long. Date: Wed, 19 May 2010 08:03:29 +0100 Message-Id: <1274252620-1249-3-git-send-email-dme@dme.org> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1274252620-1249-1-git-send-email-dme@dme.org> References: <1274252620-1249-1-git-send-email-dme@dme.org> X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2010 08:55:14 -0000 If a single header is more than 200 characters long a set of 'off by one' errors cause memory corruption. When allocating memory with: a = malloc (len); the last usable byte of the memory is 'a + len - 1' rather than 'a + len'. Fix the same bug when calculating the current offset should the buffer used for collecting the output header need to be reallocated. --- gmime-filter-headers.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/gmime-filter-headers.c b/gmime-filter-headers.c index 2f3df80..7db3779 100644 --- a/gmime-filter-headers.c +++ b/gmime-filter-headers.c @@ -169,7 +169,7 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace, headers->lineptr = headers->line = malloc (headers->line_size); } lineptr = headers->lineptr; - lineend = headers->line + headers->line_size; + lineend = headers->line + headers->line_size - 1; if (lineptr == NULL) return; outptr = filter->outbuf; @@ -185,8 +185,8 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace, if (lineptr == lineend) { headers->line_size *= 2; headers->line = xrealloc (headers->line, headers->line_size); - lineptr = headers->line + headers->line_size / 2; - lineend = headers->line + headers->line_size; + lineptr = headers->line + (headers->line_size / 2) - 1; + lineend = headers->line + headers->line_size - 1; } if (headers->saw_nl && *inptr != ' ' && *inptr != '\t') { -- 1.7.1