[PATCH] notmuch: Fix off-by-one errors if a header is >200 characters long.
dme at dme.org
dme at dme.org
Wed Apr 28 03:45:41 PDT 2010
From: David Edmondson <dme at dme.org>
If a single header is more than 200 characters long a set of 'off by
one' errors cause memory corruption.
When allocating memory with:
a = malloc (len);
the last usable byte of the memory is 'a + len - 1' rather than 'a +
len'.
Fix the same bug when calculating the current offset should the buffer
used for collecting the output header need to be reallocated.
---
This is the cause of my segmentation fault (or bus error) during
`notmuch reply'. The patch is for the 0.3.1 branch, but I'd expect
that it will apply cleanly to master.
gmime-filter-headers.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/gmime-filter-headers.c b/gmime-filter-headers.c
index 2f3df80..7db3779 100644
--- a/gmime-filter-headers.c
+++ b/gmime-filter-headers.c
@@ -169,7 +169,7 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace,
headers->lineptr = headers->line = malloc (headers->line_size);
}
lineptr = headers->lineptr;
- lineend = headers->line + headers->line_size;
+ lineend = headers->line + headers->line_size - 1;
if (lineptr == NULL)
return;
outptr = filter->outbuf;
@@ -185,8 +185,8 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace,
if (lineptr == lineend) {
headers->line_size *= 2;
headers->line = xrealloc (headers->line, headers->line_size);
- lineptr = headers->line + headers->line_size / 2;
- lineend = headers->line + headers->line_size;
+ lineptr = headers->line + (headers->line_size / 2) - 1;
+ lineend = headers->line + headers->line_size - 1;
}
if (headers->saw_nl && *inptr != ' ' && *inptr != '\t') {
--
1.7.0
More information about the notmuch
mailing list