Source: procmail
Version: 3.22-25
The skipcomment() function looks like this:
static const char*skipcomment(start)const char*start;
{ for(;;)
switch(*++start)
{ case '\0':start--;
case ')':return start;
case '\\':start++;
break; /* Prithee, breaking the 11th commandment here:
*/
case '(':start=skipcomment(start); /* Thou shalt not re-curse!
*/
}
}
When you pass it a string that ends with backslash, it jumps over the
terminating null byte. :(
To reproduce, rebuild the package with -fsanitize=address, and run:
$ printf 'From (\\' | formail
=================================================================
==2659==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5000734
at pc 0x5665d337 bp 0xfffcf038 sp 0xfffcf02c
READ of size 1 at 0xf5000734 thread T0
#0 0x5665d336 in skipcomment .../procmail-3.22/src/formisc.c:22
#1 0x5665d477 in skipwords .../procmail-3.22/src/formisc.c:44
#2 0x56656071 in getsender .../procmail-3.22/src/formail.c:269
#3 0x56658fce in main .../procmail-3.22/src/formail.c:628
#4 0xf6f17285 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18285)
#5 0x56654860 (.../procmail-3.22/src/formail+0x3860)
0xf5000734 is located 0 bytes to the right of 4-byte region
[0xf5000730,0xf5000734)
allocated by thread T0 here:
#0 0xf71e9e14 in malloc (/usr/lib/i386-linux-gnu/libasan.so.4+0xdee14)
#1 0x5665fa20 in tmalloc .../procmail-3.22/src/ecommon.c:21
#2 0x56655b61 in getsender .../procmail-3.22/src/formail.c:222
#3 0x56658fce in main .../procmail-3.22/src/formail.c:628
#4 0xf6f17285 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18285)
...
--
Jakub Wilk
