Hi all! Trying to find a cause of http://bugs.php.net/31431 I've discovered that rfc822_8bit() function (from src/c-client/rfc822.c, line 1938) incorrectly computes maximum result length. This causes buffer overrun & segfault.
Current formula: --- unsigned char *ret = (unsigned char *) fs_get ((size_t) (3*srcl + (6*srcl)/MAXL + 3));1 --- As far as I understand this formula should be written like this: --- 3[encoded char len]*source length + ((3[encoded char len]*source length)/MAXL[max line length])*3[line ending: "=\r\n"]) + 3["=\r\n" at the end] --- So, c-client should use this line instead: --- unsigned char *ret = (unsigned char *) fs_get ((size_t) (3*srcl + ((3*srcl)/MAXL)*3 + 3)); --- The patch is attached. Thanks. -- Wbr, Antony Dovgal aka tony2001
--- rfc822.c.orig 2005-01-07 01:53:34.652514640 +0300 +++ rfc822.c 2005-01-07 01:53:58.716856304 +0300 @@ -1940,7 +1940,7 @@ { unsigned long lp = 0; unsigned char *ret = (unsigned char *) - fs_get ((size_t) (3*srcl + (6*srcl)/MAXL + 3)); + fs_get ((size_t) (3*srcl + ((3*srcl)/MAXL)*3 + 3)); unsigned char *d = ret; char *hex = "0123456789ABCDEF"; unsigned char c;