[Mutt] #3636: Possible buffer overflow in smime.c

Mutt Thu, 21 Feb 2013 16:10:55 -0800

#3636: Possible buffer overflow in smime.c
----------------------+----------------------
 Reporter:  wfiveash  |      Owner:  mutt-dev
     Type:  defect    |     Status:  new
 Priority:  major     |  Milestone:
Component:  mutt      |    Version:  1.5.21
 Keywords:            |
----------------------+----------------------
 In smime_ask_for_key() there are several calls to fscanf() like:


 numFields = fscanf (index, MUTT_FORMAT(STRING) " %x.%i "
 MUTT_FORMAT(STRING), fields[0], &hash,
           &hash_suffix, fields[2]);

 Note that MUTT_FORMAT(STRING) is basically "%256s".  Note that fields is
 defined as: char fields[5][STRING];
 So it is possible for fscanf() to go beyond the fields string buffer when
 it writes the string terminator, '\0', when processing an input string
 that is 256 chars long.  Seems like fields should be:
 char fields[5][STRING+1];

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3636>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

[Mutt] #3636: Possible buffer overflow in smime.c

Reply via email to