Re: [PATCH] buffer overrun in rfc822_8bit()

[Mark Crispin]

Thank you.  I agree with your suggested patch, and it will be in the next 
release.

-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: [PATCH] buffer overrun in rfc822_8bit()

[Antony Dovgal]

On Tue, 11 Jan 2005 14:50:23 -0800 (Pacific Standard Time)
Mark Crispin [EMAIL PROTECTED] wrote:

 Thank you.  I agree with your suggested patch, and it will be in the
 next release.

Thanks!

-- 
Wbr, 
Antony Dovgal aka tony2001

[PATCH] buffer overrun in rfc822_8bit()

[Antony Dovgal]

Hi all!

Trying to find a cause of http://bugs.php.net/31431 I've discovered 
that rfc822_8bit() function (from src/c-client/rfc822.c, line 1938) 
incorrectly computes maximum result length.
This causes buffer overrun  segfault.

Current formula:
---
  unsigned char *ret = (unsigned char *)  
  fs_get ((size_t) (3*srcl + (6*srcl)/MAXL + 3));1
---

As far as I understand this formula should be written like this:
---
3[encoded char len]*source length 
+ 
((3[encoded char len]*source length)/MAXL[max line length])*3[line ending: 
=\r\n])
+
3[=\r\n at the end]
---

So, c-client should use this line instead:
---
   unsigned char *ret = (unsigned char *)
fs_get ((size_t) (3*srcl + ((3*srcl)/MAXL)*3 + 3));
---

The patch is attached.
Thanks.

-- 
Wbr, 
Antony Dovgal aka tony2001
--- rfc822.c.orig   2005-01-07 01:53:34.652514640 +0300
+++ rfc822.c2005-01-07 01:53:58.716856304 +0300
@@ -1940,7 +1940,7 @@
 {
   unsigned long lp = 0;
   unsigned char *ret = (unsigned char *)
-fs_get ((size_t) (3*srcl + (6*srcl)/MAXL + 3));
+fs_get ((size_t) (3*srcl + ((3*srcl)/MAXL)*3 + 3));
   unsigned char *d = ret;
   char *hex = 0123456789ABCDEF;
   unsigned char c;