[PATCH 1 of 2] Fix menu type in certificate prompt.

Sat, 26 Sep 2015 23:46:42 -0700 

The menu type is used in several places as a direct index into
Keymaps[], so passing in -1 to mutt_new_menu() was leading to illegal
memory accesses later on.

Add a range check in mutt_new_menu(), defaulting to MENU_GENERIC, to
prevent this problem in the future.

-- 
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA
http://www.8t8.us/configs/gpg-key-transition-statement.txt

# HG changeset patch
# User Kevin McCarthy <[email protected]>
# Date 1443335580 -28800
#      Sun Sep 27 14:33:00 2015 +0800
# Node ID c1cb2f94e0bad0442d2bfd22274a8c758f3a2951
# Parent  aec82c4dd826f236e5fd2eeb362bb6a9a44882f6
Fix menu type in certificate prompt.  (see #3779)

The menu type is used in several places as a direct index into
Keymaps[], so passing in -1 to mutt_new_menu() was leading to illegal
memory accesses later on.

Add a range check in mutt_new_menu(), defaulting to MENU_GENERIC, to
prevent this problem in the future.

diff --git a/menu.c b/menu.c
--- a/menu.c
+++ b/menu.c
@@ -679,16 +679,19 @@
   for (i = 0; i < MENU_MAX; i++)
     SearchBuffers[i] = NULL;
 }
 
 MUTTMENU *mutt_new_menu (int menu)
 {
   MUTTMENU *p = (MUTTMENU *) safe_calloc (1, sizeof (MUTTMENU));
 
+  if ((menu < 0) || (menu >= MENU_MAX))
+    menu = MENU_GENERIC;
+
   p->menu = menu;
   p->current = 0;
   p->top = 0;
   p->offset = 1;
   p->redraw = REDRAW_FULL;
   p->pagelen = PAGELEN;
   p->color = default_color;
   p->search = menu_search_generic;
diff --git a/mutt_ssl.c b/mutt_ssl.c
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -972,17 +972,17 @@
 
 static int interactive_check_cert (X509 *cert, int idx, int len)
 {
   static const char * const part[] =
     {"/CN=", "/Email=", "/O=", "/OU=", "/L=", "/ST=", "/C="};
   char helpstr[LONG_STRING];
   char buf[STRING];
   char title[STRING];
-  MUTTMENU *menu = mutt_new_menu (-1);
+  MUTTMENU *menu = mutt_new_menu (MENU_GENERIC);
   int done, row, i;
   FILE *fp;
   char *name = NULL, *c;
 
   dprint (2, (debugfile, "interactive_check_cert: %s\n", cert->name));
 
   menu->max = 19;
   menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -845,17 +845,17 @@
   if (gnutls_x509_crt_import (cert, certdata, GNUTLS_X509_FMT_DER) < 0)
   {
     mutt_error (_("Error processing certificate data"));
     mutt_sleep (2);
     gnutls_x509_crt_deinit (cert);
     return 0;
   }
 
-  menu = mutt_new_menu (-1);
+  menu = mutt_new_menu (MENU_GENERIC);
   menu->max = 25;
   menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
   for (i = 0; i < menu->max; i++)
     menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
 
   row = 0;
   strfcpy (menu->dialog[row], _("This certificate belongs to:"), SHORT_STRING);
   row++;

Attachment: signature.asc
Description: PGP signature

Reply via email to