changeset: 6297:14596ac2b323
user: [email protected]
date: Fri Feb 22 16:30:40 2013 +0000
link: http://dev.mutt.org/hg/mutt/rev/14596ac2b323
fix potential buffer overflow in off-by-one bounds checking error
closes #3635
diffs (24 lines):
diff -r 302044b4ed3f -r 14596ac2b323 rfc1524.c
--- a/rfc1524.c Fri Feb 08 17:06:31 2013 +0000
+++ b/rfc1524.c Fri Feb 22 16:30:40 2013 +0000
@@ -68,7 +68,7 @@
if (option (OPTMAILCAPSANITIZE))
mutt_sanitize_filename (type, 0);
- while (x < clen && command[x] && y < sizeof (buf) - 1)
+ while (x < clen - 1 && command[x] && y < sizeof (buf) - 1)
{
if (command[x] == '\\')
{
diff -r 302044b4ed3f -r 14596ac2b323 sendlib.c
--- a/sendlib.c Fri Feb 08 17:06:31 2013 +0000
+++ b/sendlib.c Fri Feb 22 16:30:40 2013 +0000
@@ -1664,7 +1664,7 @@
/* find the next word and place it in `buf'. it may start with
* whitespace we can fold before */
next = find_word (p);
- l = MIN(sizeof (buf), next - p);
+ l = MIN(sizeof (buf) - 1, next - p);
memcpy (buf, p, l);
buf[l] = 0;
