commit d34baeb88607706ab5eec8f049cdc900030f2601
Author: Oswald Buddenhagen <[email protected]>
Date: Sat Apr 12 13:03:46 2014 +0200
fix hypothetical buffer overflows
if something managed to make the maildir .uidvalidity files big enough
(possible only by appending garbage or scrambling them alltogether), we
would overflow the read buffer by one when appending the terminating
null.
this is not expected to have any real-world impact.
found by coverity.
src/drv_maildir.c | 2 +-
src/mdconvert.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/drv_maildir.c b/src/drv_maildir.c
index e751f4b..cb2d268 100644
--- a/src/drv_maildir.c
+++ b/src/drv_maildir.c
@@ -496,7 +496,7 @@ maildir_uidval_lock( maildir_store_t *ctx )
return DRV_BOX_BAD;
}
lseek( ctx->uvfd, 0, SEEK_SET );
- if ((n = read( ctx->uvfd, buf, sizeof(buf) )) <= 0 ||
+ if ((n = read( ctx->uvfd, buf, sizeof(buf) - 1 )) <= 0 ||
(buf[n] = 0, sscanf( buf, "%d\n%d", &ctx->gen.uidvalidity,
&ctx->nuid ) != 2)) {
#if 1
/* In a generic driver, resetting the UID validity would be the
right thing.
diff --git a/src/mdconvert.c b/src/mdconvert.c
index da9970f..ec2a558 100644
--- a/src/mdconvert.c
+++ b/src/mdconvert.c
@@ -135,7 +135,7 @@ convert( const char *box, int altmap )
key.data = (void *)"UIDVALIDITY";
key.size = 11;
if (altmap) {
- if ((n = read( sfd, buf, sizeof(buf) )) <= 0 ||
+ if ((n = read( sfd, buf, sizeof(buf) - 1 )) <= 0 ||
(buf[n] = 0, sscanf( buf, "%d\n%d", &uv[0], &uv[1] ) != 2))
{
fprintf( stderr, "Error: cannot read UIDVALIDITY of
'%s'.\n", box );
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
isync-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/isync-devel
