On Thursday 03 July 2003 14:04, Jesse Guardiani wrote:Sam,
Take a look at the attached patches, please.
Sorry. I forgot to attach the patches. Here they are. See attached.
The malloc version serves no useful purpose. Copying the pathnames to a malloced buffer, and freeing it afterwards does not do anything useful.
Furthermore, you're allocating one byte too short, which will result in subtle memory corruption.
The non-malloc version has a rather obvious exploitable buffer overflow, because sqwebmail can be run from the command line, with prearranged environment variables.
pgp00000.pgp
Description: PGP signature
