#3776: Out of bounds heap read when parsing malformed header
---------------------+---------------------
Reporter: hanno | Owner: brendan
Type: defect | Status: closed
Priority: major | Milestone:
Component: IMAP | Version:
Resolution: fixed | Keywords:
---------------------+---------------------
Changes (by Kevin McCarthy <kevin@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [590ff6eebe1a4298066ae839107a71a1bfc1fa6c]:
{{{
#!CommitTicketReference repository=""
revision="590ff6eebe1a4298066ae839107a71a1bfc1fa6c"
Fix oob reads when fgets returns "\0". (closes #3776)
The ticket reported an out of bounds read in mutt_read_rfc822_line()
when a '\0' was embedded on its own line in the headers. The function
assumed if fgets() didn't return NULL, then the string would have at
least one character.
I scanned the rest of the code and found three other places making the
same assumption for fgets.
Thanks to hanno for finding this with the "american fuzzy lop" tool.
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3776#comment:2>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
