On Sun, Nov 19, 2017 at 12:18:28PM +0100, Pierre-Elliott Bécue wrote:
> Actually, there might be another issue:
>
> >+{ while(buffilled+len>buflen) /* buf can't hold the text */
> > buf=realloc(buf,buflen+=Bsize);
>
> If buffilled > INT_MAX - len, I think this loop won't work and so that
> one'll have the same overflow as the tmemmove will be executed without any
> resize.
>
> I'm not sure how it could be exploited, and I might be wrong, but maybe one
> should also check that?
All variables involved are size_t, which is at least 32 bits on i386.
I guess you would need a 4GB-long email message to "exploit" that.
However, if your inbox allow such big messages, then you don't need an
exploit at all. The message itself would already create a Denial Of
Service issue. So this minor issue about size_t variables would be the
least of our worries.
Thanks.
