Package: procmail Version: 3.22-25+b1 Tags: security formail crashes on the attached file:
$ zcat overflow.822.gz | formail -r
*** Error in `formail': corrupted size vs. prev_size: 0x584565a8 ***
...
Aborted
I believe the culrpit is the loadbuf() function. It looks like this:
void loadbuf(text,len)const char*const text;const size_t len;
{ if(buffilled+len>buflen) /* buf can't hold the text
*/
buf=realloc(buf,buflen+=Bsize);
tmemmove(buf+buffilled,text,len);buffilled+=len;
}
When the buffer is too small, the function tries to resize it, but only
by Bsize (=128) bytes. This is not necessarily enough.
Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/ -- System Information: Architecture: i386 Versions of packages procmail depends on: ii libc6 2.24-17 -- Jakub Wilk
overflow.822.gz
Description: application/gzip
