Bug#313306: mailx: Crashes when command line contains many digits

Sun, 12 Jun 2005 16:38:17 -0700 

Subject: mailx: Crashes when command line contains many digits
Package: mailx
Version: 1:8.1.2-0.20040524cvs-4
Severity: normal
Tags: patch

Hello,

mailx crashes when you give it a command line containing thousands of digits,
as shown in this example:


[EMAIL PROTECTED]:~/mailx-bug$ perl -e 'print "9"x2150, "\n";' | /usr/bin/mailx 
-f mailbox
Mail version 8.1.2 01/15/2001.  Type ? for help.
"mailbox": 1 message
>   1 [EMAIL PROTECTED]  Sun May 29 01:52   18/592   hi
-1: Invalid message number
"Source" stack over-pop.
Segmentation fault
[EMAIL PROTECTED]:~/mailx-bug$


This crash is caused by a buffer overflow. I see no security implications of 
this bug,
since that part of the code deals with data from the user and not data from 
e-mail
messages and since it only copies digits anyway. It is still worth fixing to 
improve
quality and stability.

I have attached a patch and the mailbox I used in the example above (it should 
work
with any mailbox file, though).

// Ulf Harnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages mailx depends on:
ii  base-files                  3.1.2        Debian base system miscellaneous f
ii  exim4                       4.50-8       metapackage to ease exim MTA (v4) 
ii  exim4-daemon-light [mail-tr 4.50-8       lightweight exim MTA (v4) daemon
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  liblockfile1                1.06         NFS-safe locking library, includes

-- no debconf information


--- list.c.old  2003-10-14 14:50:21.000000000 +0200
+++ list.c      2005-06-13 00:49:38.194654056 +0200
@@ -543,7 +543,8 @@ scan(char **sp)
                lexnumber = 0;
                while (isdigit(c)) {
                        lexnumber = lexnumber*10 + c - '0';
-                       *cp2++ = c;
+                       if (cp2 - lexstring < STRINGLEN-1)
+                               *cp2++ = c;
                        c = *cp++;
                }
                *cp2 = '\0';

>From [EMAIL PROTECTED] Sun May 29 01:52:52 2005
Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Sun, 29 May 2005 01:52:52 +0200
Received: from metaur by h215n2fls34o1123.telia.com with local (Exim 4.50)
        id 1DcB6q-0002WB-Du
        for [EMAIL PROTECTED]; Sun, 29 May 2005 01:52:52 +0200
To: [EMAIL PROTECTED]
Subject: hi
Message-Id: <[EMAIL PROTECTED]>
From: Ulf Harnhammar <[EMAIL PROTECTED]>
Date: Sun, 29 May 2005 01:52:52 +0200
Status: RO
Content-Length: 3
Lines: 1

hi

Reply via email to