On Tue, 3 Jun 2008, Samuel Thibault wrote:
> Package: procmail
> Version: 3.22-16
> Severity: important
> [...]
>
> valgrind says
>
> ==8314== Invalid write of size 1
> ==8314== at 0x804CEFA: concatenate (goodies.c:381)
> ==8314== by 0x804F5DB: writefolder (mailfold.c:217)
> ==8314== by 0x804A387: mainloop (procmail.c:884)
> ==8314== by 0x804B771: main (procmail.c:488)
> ==8314== Address 0x419bfa4 is 0 bytes after a block of size 84 alloc'd
> ==8314== at 0x4022AB8: malloc (vg_replace_malloc.c:207)
> ==8314== by 0x80546CF: tmalloc (robust.c:49)
> ==8314== by 0x804F2E7: writefolder (mailfold.c:208)
> ==8314== by 0x804A387: mainloop (procmail.c:884)
> ==8314== by 0x804B771: main (procmail.c:488)
>
> And this is indeed wrong: in writefolder() we allocate a string of size
> Tmnate-linkfolder, and then concatenate() basically does *Tmnate = 0...
So, by doing the equivalent thing of *Tmnate = 0, it's using one more
byte than it's allocated.
Could you please try this patch and tell me whether it fixes the crash
or not?
diff -ru procmail-3.22/src/mailfold.c ASASAS/src/mailfold.c
--- procmail-3.22/src/mailfold.c 2009-09-01 18:29:18.000000000 +0200
+++ ASASAS/src/mailfold.c 2009-08-21 22:54:13.000000000 +0200
@@ -205,7 +205,7 @@
if(linkfolder) /* any additional directories specified? */
{ size_t blen;
if(blen=Tmnate-linkfolder) /* copy the names into
safety */
- Tmnate=(linkfolder=tmemmove(malloc(blen),linkfolder,blen))+blen;
+ Tmnate=(linkfolder=tmemmove(malloc(blen+1),linkfolder,blen))+blen;
else
linkfolder=0;
}
The patch seems to fix Bug#474298, which is very similar, but I would
like to know whether it fixes this one as well.
Thanks a lot.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
