Tetsuo Handa writes:
Sam Varshavchik wrote: > This turns out to be a tiny bug in the GNU libidn library causing all sorts > of crap happen in Courier-IMAP. I\'m not a happy camper today. I need to > figure out how to work around this bug...So, you succeeded to reproduce the crash in your environment, didn\'t you? But excuse me, are you sure that this is a bug of GNU libidn library?
Yes.
0xe3 is the first byte of a 3-byte-length UTF-8 character. Is it legal to pass 0xe3 without subsequent two more valid bytes?
It is not valid UTF-8, however what happens is that when libidn tries to parse that, it skips over the trailing \0 in the string, and continues reading the contents of the heap, that follows.
It seems to me that the crash no longer occurs if we allocate larger buffer on the courier-imap side.
That may not work in all cases. No matter how larger overhead you'll allocate, it's a matter of how far past the trailing \0 libidn keeps walking, before it decides that it found the end of the string. And this buffer that you changed is not the one that gets blown.
pgpTkp770czMj.pgp
Description: PGP signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
