Package: libbuffy-dev
Version: 1.9.2-2
Severity: normal
Tags: patch
Hi,
While debugging a mips64el problem (the one in libwibble), I recompiled
libbuffy with -fsanitize=address and found a buffer overflow in the
isMailBox function in mailbox.cc.
The code reads as follows:
> static const int bufsize = 1024;
> char buf[bufsize];
> int res = gzread(in, buf, bufsize);
[...]
> // Read was correct, add a string terminator
> buf[res] = 0;
If gzread returns bufsize (as it's allowed), this will write past the
end of the buffer. To fix this buf should be declared with size (bufsize
+ 1).
> char buf[bufsize + 1];
Thanks,
James
diff -u -r a/buffy/mailfolder/mailbox.cc b/buffy/mailfolder/mailbox.cc
--- a/buffy/mailfolder/mailbox.cc 2013-10-25 14:02:51.000000000 +0100
+++ b/buffy/mailfolder/mailbox.cc 2015-01-19 16:40:49.835901511 +0000
@@ -242,7 +242,7 @@
throw wibble::exception::File(pathname, "opening file");
static const int bufsize = 1024;
- char buf[bufsize];
+ char buf[bufsize + 1];
int res = gzread(in, buf, bufsize);
if (res == 0)
{
