I'm trying to fix a buffer overflow in PHP-IMAP. It declares a buffer of size
MAILTMPLEN (=1024) and then uses rfc822_write_address_full to write a canonical
version of the first address from each of the From: and To: headers into the
buffer. I found an e-mail in a user's INBOX that had a corrupted To: header
with unbalanced double quotes that made the whole thing look like one long
e-mail address. This e-mail triggered a segfault every time the user tried to
log in to Horde.
Is there a snprintf-style version of rfc822_write_address_full that could be
used instead? Would it be reasonable to limit rfc822_write_address_full to
writing at most MAILTMPLEN bytes?
Thanks,
John Dalbec
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
