#3635: potential buffer overruns
--------------------+----------------------
Reporter: jbeck | Owner: mutt-dev
Type: defect | Status: new
Priority: minor | Milestone:
Component: mutt | Version: 1.5.21
Keywords: patch |
--------------------+----------------------
Parfait (a static code analysis tool) reported several potential buffer
overruns:
Error: Buffer overrun
Read outside array bounds (CWE 125): In pointer dereference of
command[x] with index 'x'
Pointer size is 1024 bytes, index is 1024
at line 76 of components/mutt/mutt-1.5.21/rfc1524.c in function
'rfc1524_expand_command'.
called at line 1251 of components/mutt/mutt-1.5.21/handler.c in
function 'autoview_handler' with command = command.
at line 81 of components/mutt/mutt-1.5.21/rfc1524.c in function
'rfc1524_expand_command'.
called at line 1251 of components/mutt/mutt-1.5.21/handler.c in
function 'autoview_handler' with command = command.
at line 100 of components/mutt/mutt-1.5.21/rfc1524.c in function
'rfc1524_expand_command'.
called at line 1251 of components/mutt/mutt-1.5.21/handler.c in
function 'autoview_handler' with command = command.
at line 105 of components/mutt/mutt-1.5.21/rfc1524.c in function
'rfc1524_expand_command'.
called at line 1251 of components/mutt/mutt-1.5.21/handler.c in
function 'autoview_handler' with command = command.
(Four more instances similar to the above set.)
Error: Buffer overrun
Buffer overflow (CWE 120): In array dereference of buf[l] with index
'l'
Array size is 5120 bytes, index <= 5120
at line 1669 of components/mutt/mutt-1.5.21/sendlib.c in function
'fold_one_header'.
Both of these are caused by off-by-one bounds-checking errors.
The attached patch fixes both issues.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3635>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
