Hi all!
Trying to find a cause of http://bugs.php.net/31431 I've discovered
that rfc822_8bit() function (from src/c-client/rfc822.c, line 1938)
incorrectly computes maximum result length.
This causes buffer overrun & segfault.
Current formula:
---
unsigned char *ret = (unsigned char *)
fs_get ((size_t) (3*srcl + (6*srcl)/MAXL + 3));1
---
As far as I understand this formula should be written like this:
---
3[encoded char len]*source length
+
((3[encoded char len]*source length)/MAXL[max line length])*3[line ending:
"=\r\n"])
+
3["=\r\n" at the end]
---
So, c-client should use this line instead:
---
unsigned char *ret = (unsigned char *)
fs_get ((size_t) (3*srcl + ((3*srcl)/MAXL)*3 + 3));
---
The patch is attached.
Thanks.
--
Wbr,
Antony Dovgal aka tony2001
--- rfc822.c.orig 2005-01-07 01:53:34.652514640 +0300
+++ rfc822.c 2005-01-07 01:53:58.716856304 +0300
@@ -1940,7 +1940,7 @@
{
unsigned long lp = 0;
unsigned char *ret = (unsigned char *)
- fs_get ((size_t) (3*srcl + (6*srcl)/MAXL + 3));
+ fs_get ((size_t) (3*srcl + ((3*srcl)/MAXL)*3 + 3));
unsigned char *d = ret;
char *hex = "0123456789ABCDEF";
unsigned char c;
