Good morning,
Jakub Wilk reported a crash in mutt:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125
Looking in mutt-1.5.23-2.fc20.x86_64:
char *mutt_substrdup (const char *begin, const char *end)
{
size_t len;
char *p;
if (end)
len = end - begin;
else
len = strlen (begin);
p = safe_malloc (len + 1);
memcpy (p, begin, len);
p[len] = 0;
return p;
}
"end" can be less than "begin", and in this case -1 tries to be stored
in the unsigned int len. The safe_malloc will therefore be called with
"0" (due to the +1), and then the following memcpy will use the huge len.
(gdb) b mutt_substrdup
Breakpoint 1 at 0x46daf0: file lib.c, line 814.
(gdb) c
Continuing.
Breakpoint 1, mutt_substrdup (
begin=begin@entry=0xe4b630 "From jw...@jwilk.net Wed Nov 26
18:01:22 2014\nFrom:\n\rI\n",
end=end@entry=0xe4b65e "From:\n\rI\n") at lib.c:814
814 {
(gdb) c
Continuing.
Breakpoint 1, mutt_substrdup (begin=begin@entry=0xe4b65e "From:\n\rI\n",
end=end@entry=0xe4b662 ":\n\rI\n") at lib.c:814
814 {
(gdb) c
Continuing.
Breakpoint 1, mutt_substrdup (begin=0xe4b665 "I\n",
end=end@entry=0xe4b664 "\rI\n") at lib.c:814
814 {
(gdb) x/s begin
0xe4b665: "I\n"
(gdb) x/s end
0xe4b664: "\rI\n"
(gdb) n
818 if (end)
(gdb) n
819 len = end - begin;
(gdb) n
823 p = safe_malloc (len + 1);
(gdb) p len
$1 = 18446744073709551615
(gdb) p len + 1
$2 = 0
We haven't looked yet where the overlap occurs, nor have a patch yet.
I did have to put "set weed=off" in .muttrc for the issue to present.
Cheers,
--
Murray McAllister / Red Hat Product Security
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
