On Sat, Sep 23, 2017 at 12:24:35AM +0200, Jakub Wilk wrote:
> Package: procmail
> Version: 3.22-25+b1
> Tags: security
>
> formail crashes on the attached file:
>
> $ zcat overflow.822.gz | formail -r
> *** Error in `formail': corrupted size vs. prev_size: 0x584565a8 ***
> ...
> Aborted
>
> I believe the culrpit is the loadbuf() function. It looks like this:
>
> void loadbuf(text,len)const char*const text;const size_t len;
> { if(buffilled+len>buflen) /* buf can't hold the
> text */
> buf=realloc(buf,buflen+=Bsize);
> tmemmove(buf+buffilled,text,len);buffilled+=len;
> }
>
> When the buffer is too small, the function tries to resize it, but only by
> Bsize (=128) bytes. This is not necessarily enough.
Thanks for the report and sorry for my late reply.
Based on your analysis, it would seem that keeping trying the realloc
until the condition inside the if becomes false would fix this.
I don't have an i386 system around. Can you try the following
(trivial) attached patch?
Salvatore: If this patch solves the issue and I upload it for unstable,
would you like me to care/help about stable as well?
(following your indications).
Thanks.
diff --git a/src/formisc.c b/src/formisc.c
index d91b227..6c7594b 100644
--- a/src/formisc.c
+++ b/src/formisc.c
@@ -103,7 +103,7 @@ void loadsaved(sp)const struct saved*const sp; /*
load some saved text */
}
/* append to buf */
void loadbuf(text,len)const char*const text;const size_t len;
-{ if(buffilled+len>buflen) /* buf can't hold the text */
+{ while(buffilled+len>buflen) /* buf can't hold the text */
buf=realloc(buf,buflen+=Bsize);
tmemmove(buf+buffilled,text,len);buffilled+=len;
}
