#3787: out of bounds read in next_token
---------------------+----------------------
Reporter: hanno | Owner: mutt-dev
Type: defect | Status: closed
Priority: major | Milestone:
Component: mutt | Version:
Resolution: fixed | Keywords:
---------------------+----------------------
Changes (by Kevin McCarthy <kevin@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [a6919571eb593031738fc0a8794d5dcaf2260668]:
{{{
#!CommitTicketReference repository=""
revision="a6919571eb593031738fc0a8794d5dcaf2260668"
Fix next_token() oob read. (closes #3787)
With specially crafted input to 'mutt -H', the line "Return-Path:<() "
is read and passed to mutt_parse_rfc822_line(). "<() " is then passed
through to rfc822_parse_adrlist().
Eventually, inside next_token(), is_special(*s) is called when s
points to the end of the string ('\0'). This macro calls strchr,
which will actually match and return a pointer to the trailing '\0' in
RFC822Specials! This causes "s + 1" to be returned, skipping past the
end of string inside parse_mailboxdomain().
This patch adds a check to make sure *s is non-null before calling
is_special(*s).
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3787#comment:4>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
