#3776: Out of bounds heap read when parsing malformed header
--------------------+---------------------
Reporter: hanno | Owner: brendan
Type: defect | Status: new
Priority: major | Milestone:
Component: IMAP | Version:
Keywords: |
--------------------+---------------------
A malformed mail header can cause an out of bounds heap read access in
mutt. The attached file can show that (it just consists of three chars - a
:, a newline and a zero byte). Can be tested by running mutt -H
[samplefile]
This bug is only visible with memory debugging tools like valgrind or
address sanitizer. With address sanitizer it will show this stack trace:
==14289==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900000647f at pc 0x000000620c24 bp 0x7ffcbd9edfb0 sp 0x7ffcbd9edfa8
READ of size 1 at 0x61900000647f thread T0
#0 0x620c23 in mutt_read_rfc822_line /f/mutt-1.5.24/parse.c:57:9
#1 0x625d69 in mutt_read_rfc822_header /f/mutt-1.5.24/parse.c:1350:13
#2 0x5cd0f5 in main /f/mutt-1.5.24/main.c:930:22
#3 0x7f6416f7df9f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#4 0x443376 in _start (/mnt/ram/mutt/mutt+0x443376)
0x61900000647f is located 1 bytes to the left of 1024-byte region
[0x619000006480,0x619000006880)
allocated by thread T0 here:
#0 0x4ca342 in malloc (/mnt/ram/mutt/mutt+0x4ca342)
#1 0x6c25a0 in safe_malloc /f/mutt-1.5.24/lib.c:151:21
#2 0x5cd0f5 in main /f/mutt-1.5.24/main.c:930:22
#3 0x7f6416f7df9f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
This was found with the fuzzing tool american fuzzy lop.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3776>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
