Package: src:courier-unicode Version: 2.1-3 Severity: important Tags: buster Usertags: cone
backport important bug agains cone in stable current release: Fix bug triggered by cone. Parameters to memmove were reversed. len is the size of the buffer. len-pos-cnt characters were copied in error to position pos+cnt. As such this did not overflow. I.e. if len was 8 (eight chars), pos was 1 and cnt was 2, then 8-2-1=5 characters were copied to offset 3, right at the end of the buffer. This was just plain wrong. Origin: upstream, https://github.com/svarshavchik/courier-libs/commit/b89f5f8dc09431bb345308b3a0ffd5f7d22cdfb2#diff-2fcf76a4c3c75b1fb5288d83d62dd114dc556d16fba206ab35d38bfe294a2857 --- courier-unicode-2.1.orig/unicodebuf.c +++ courier-unicode-2.1/unicodebuf.c @@ -89,7 +89,7 @@ void unicode_buf_remove(struct unicode_b cnt=p->len-pos; if (cnt) - memmove(p->ptr+pos+cnt, p->ptr+pos, p->len-pos-cnt); + memmove(p->ptr+pos, p->ptr+pos+cnt, (p->len-pos-cnt) * sizeof(char32_t)); p->len -= cnt; } --- courier-unicode-2.1.orig/unicodetest.c +++ courier-unicode-2.1/unicodetest.c @@ -123,11 +123,30 @@ static void test2() exit(1); } +void testunicodebuf() +{ + struct unicode_buf buf; + + unicode_buf_init(&buf, -1); + unicode_buf_append_char(&buf, "01234567", 8); + unicode_buf_remove(&buf, 1, 6); + + if (unicode_buf_len(&buf) != 2 || + unicode_buf_ptr(&buf)[0] != '0' || + unicode_buf_ptr(&buf)[1] != '7') + { + fprintf(stderr, "unicode_buf_remove failed\n"); + exit(1); + } + unicode_buf_deinit(&buf); +} + int main(int argc, char **argv) { const char *chset=unicode_x_imap_modutf7; int argn=1; + testunicodebuf(); if (argn < argc && strcmp(argv[argn], "--smap") == 0) { chset=unicode_x_imap_modutf7 " ./~:"; Lenz McKAY Gerardo (PICCORO) http://qgqlochekone.blogspot.com
