Package: maildrop
Version: 2.8.4-2
When you run "reformail -f1" against a message with malformed Errors-To
header, reformail uses memory that has been already freed:
$ printf 'Errors-To:' | valgrind --quiet -- reformail -f1
==8668== Invalid read of size 1
==8668== at 0x10BEEA: add_from_filter() (reformail.C:186)
==8668== by 0x10B575: ReadLineAddHeader() (reformail.C:523)
==8668== by 0x10C417: ReadLine() (reformail.C:664)
==8668== by 0x10C78B: copy(int, char**, int) (reformail.C:721)
==8668== by 0x1093A2: main (reformail.C:1214)
==8668== Address 0x4c3e121 is 9 bytes inside a block of size 512 free'd
==8668== at 0x482FE78: operator delete[](void*) (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==8668== by 0x10BEE3: ~Buffer (buffer.h:25)
==8668== by 0x10BEE3: add_from_filter() (reformail.C:188)
==8668== by 0x10B575: ReadLineAddHeader() (reformail.C:523)
==8668== by 0x10C417: ReadLine() (reformail.C:664)
==8668== by 0x10C78B: copy(int, char**, int) (reformail.C:721)
==8668== by 0x1093A2: main (reformail.C:1214)
==8668== Block was alloc'd at
==8668== at 0x482F00C: operator new[](unsigned int) (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==8668== by 0x10D6D4: Buffer::append(int) (buffer.C:15)
==8668== by 0x10BCE5: push (buffer.h:41)
==8668== by 0x10BCE5: add_from_filter() (reformail.C:195)
==8668== by 0x10B575: ReadLineAddHeader() (reformail.C:523)
==8668== by 0x10C417: ReadLine() (reformail.C:664)
==8668== by 0x10C78B: copy(int, char**, int) (reformail.C:721)
==8668== by 0x1093A2: main (reformail.C:1214)
...
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Architecture: i386
Versions of packages maildrop depends on:
ii courier-authlib 0.68.0-4
ii libc6 2.24-17
ii libcourier-unicode1 1.4-3+b1
ii libgcc1 1:7.2.0-7
ii libgdbm3 1.8.3-14
ii libpcre3 2:8.39-5
ii libstdc++6 7.2.0-7
--
Jakub Wilk
