Bug#716520: [Mayhem] Bug report on xlassie: xlassie crashes with exit status 139

Sun, 13 Oct 2024 11:03:29 -0700 

Control: tags -1 + patch

The report is
  xlassie -imapfolde - - < <(printf AAAAAAAAAAAAAAAAAAAAAAA)
(those are actual ^As)
I can reduce it to
  xlassie -imapfolde a
with
  (gdb) bt
  #0  __strcpy_sse2_unaligned () at 
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:566
  #1  0x0000555555403b05 in parse_cmdline (argc=argc@entry=3, 
argv=argv@entry=0x7fffffffe2f8) at xlassie.c:567
  #2  0x0000555555403ddb in init (argc=argc@entry=3, 
argv=argv@entry=0x7fffffffe2f8) at xlassie.c:606
  #3  0x0000555555402a12 in main (argc=3, argv=0x7fffffffe2f8) at xlassie.c:846
which is
  │      565        case 19:                                    
  │      566          optList[FOLDERNAME].isSet = True;         
  │  >   567          strcpy(optList[FOLDERNAME].value, optarg);
  │      568          break;                                    
with
  (gdb) p optList[FOLDERNAME]
  $2 = {label = 0x55555555b4fa "imapfolder", name = 0x55555555b4fa 
"imapfolder", isBool = 0, isSet = 1, value = 0x55555555b56f "INBOX"}
initialised thus
  optStruct optList[] =
    {
      {"imapfolder", "imapfolder",      False,  False, "INBOX"},
so this is obviously invalid.

This whole parser seems to have a thing for writing to constant strings.
(Note also how if they /weren't/ in .rodata, this would trivially raze
 whatever else is in the string table.)
Thankfully, it can just trivially Not do this.

Patch below.

Best,

--- xlassie-1.8.orig/xlassie.c
+++ xlassie-1.8/xlassie.c
@@ -534,15 +534,15 @@ void parse_cmdline(int argc, char *argv[
       case 11: optList[SHAPE].isSet = True; break;
       case 12:
        optList[SPOOL].isSet = True;
-       strcpy(optList[SPOOL].value, optarg);
+       optList[SPOOL].value = optarg;
        break;
       case 13:
        optList[MAILCOMMAND].isSet = True;
-       strcpy(optList[MAILCOMMAND].value, optarg);
+       optList[MAILCOMMAND].value = optarg;
        break;
       case 14:
        optList[CLICKCOMMAND].isSet = True;
-       strcpy(optList[CLICKCOMMAND].value, optarg);
+       optList[CLICKCOMMAND].value = optarg;
        break;
       case 15: Count_offset = atoi(optarg); break;
 
@@ -550,29 +550,29 @@ void parse_cmdline(int argc, char *argv[
       case 16:
        optList[POP3].isSet = True;
        optList[SPOOL].isSet = True;
-       strcpy(optList[SPOOL].value, optarg);
+       optList[SPOOL].value = optarg;
        break;
       case 17:
        optList[APOP3].isSet = True;
        optList[SPOOL].isSet = True;
-       strcpy(optList[SPOOL].value, optarg);
+       optList[SPOOL].value = optarg;
        break;
       case 18:
        optList[IMAP].isSet = True;
        optList[SPOOL].isSet = True;
-       strcpy(optList[SPOOL].value, optarg);
+       optList[SPOOL].value = optarg;
        break;
       case 19:
        optList[FOLDERNAME].isSet = True;
-       strcpy(optList[FOLDERNAME].value, optarg);
+       optList[FOLDERNAME].value = optarg;
        break;
       case 20:
        optList[USERNAME].isSet = True;
-       strcpy(optList[USERNAME].value, optarg);
+       optList[USERNAME].value = optarg;
        break;
       case 21:
        optList[PASSWORD].isSet = True;
-       strcpy(optList[PASSWORD].value, optarg);
+       optList[PASSWORD].value = strdup(optarg);
        /* Overwrite password argument (for 'ps' scanning) */
        memset(optarg, 0, strlen(optarg));
        break;

Attachment: signature.asc
Description: PGP signature

Reply via email to