Public bug reported:
Binary package hint: spamprobe
In version 1.2a-1 from Ubuntu (and vanilla 1.2a) spamprobe can segfault
on certain Mime input.
The bug is in MimeDecoder.cc, around line 88:
unsigned int index = (unsigned)ch;
if (BASE64_CHARS[index] >= 0) {
ch is a signed char. If ch is negative, the (unsigned) cast will first
zero-extend the negative char to a negative int, and thereafter treat it
as unsigned, causing 'index' to be a very very large integer.
BASE64_CHARS only holds 256 entries and using 'index' as index in this
array causes the segfault.
The proper fix is to write:
unsigned int index = (unsigned char)ch;
if (BASE64_CHARS[index] >= 0) {
This completely fixes the problem.
Please note that spamprobe version 1.4 contains another fix for this
problem which, in my oppinion, is overly convoluted and only fixes the
real problem "by accident". I would recommend that the simple solution
above is added to the Ubuntu 1.2a spamprobe package.
** Affects: spamprobe (Ubuntu)
Importance: Undecided
Status: Unconfirmed
--
Spamprobe segfaults on bad mime input
https://launchpad.net/bugs/85033
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
