On Tue, Sep 29, 2015 at 03:30:27PM +0800, Kevin J. McCarthy wrote:
> The ticket reported an out of bounds read in mutt_read_rfc822_line()
> when a '\0' was embedded on its own line in the headers. The function
> assumed if fgets() didn't return NULL, then the string would have at
> least [one] character.
> diff --git a/smime.c b/smime.c
> --- a/smime.c
> +++ b/smime.c
> @@ -949,17 +950,19 @@
> while ((fgets (email, sizeof (email), fpout)))
> {
> - *(email + mutt_strlen (email)-1) = '\0';
> + len = mutt_strlen (email);
> + if (len)
> + *(email + len - 1) = '\0';
> @@ -977,17 +980,19 @@
> while ((fgets (email, sizeof (email), fpout)))
> {
> - *(email + mutt_strlen (email) - 1) = '\0';
> + len = mutt_strlen (email);
> + if (len)
> + *(email + len - 1) = '\0';
>
at face value, these fragments look too optimistic - the last line could
have no trailing newline, even if erroneously. not sure if that can
actually happen and whether it would be a problem, as i don't know the
context. possibly add comments.
