#3824: [PATCH] Unitialised variable
----------------------+----------------------
Reporter: flatcap | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: build | Version: 1.5.24
Resolution: | Keywords: patch
----------------------+----------------------
Comment (by flatcap):
@tamo: Thanks, but no.
Not setting out-params to a sensible value before a call is risky.
Here's an example where valid (at least not-dangerous) input causes
undefined behaviour.
{{{
97 static LIST *mutt_parse_references (char *s, int in_reply_to)
98 {
99 LIST *t, *lst = NULL;
100 char *m;
101 const char *sp;
102
103 m = mutt_extract_message_id (s, &sp);
}}}
{{{
896 char *mutt_extract_message_id (const char *s, const char
**saveptr)
897 {
898 const char *o, *onull, *p;
899 char *ret = NULL;
900
901 if (s)
902 p = s;
903 else if (saveptr)
904 p = *saveptr;
905 else
906 return NULL;
907
908 for (s = NULL, o = NULL, onull = NULL;
909 (p = strpbrk (p, "<> \t;")) != NULL; ++p)
}}}
'''Start''': Someone calls
{{{
mutt_parse_references (NULL, 0);
}}}
Either through accident, or malicious behaviour.
mutt_parse_references():
- s = NULL;
- sp is UNDEFINED;
{{{
103 m = mutt_extract_message_id (s, &sp);
}}}
mutt_extract_message_id():
- s = NULL;
- saveptr = address of sp;
- *saveptr is UNDEFINED;
{{{
mutt_extract_message_id()
...
901 if (s)
902 p = s;
903 else if (saveptr)
904 p = *saveptr;
}}}
- 901 s = NULL therefore FALSE
- 903 saveptr is address of sp therefore TRUE
- 904 p is UNDEFINED (value of sp)
{{{
mutt_extract_message_id()
...
908 for (s = NULL, o = NULL, onull = NULL;
909 (p = strpbrk (p, "<> \t;")) != NULL; ++p)
}}}
- '''909 strpbrk() is called with p (UNDEFINED) as a parameter'''.
<rant>
There are too many functions in Mutt that don't check parameters.
The assumption is that the caller will do the validation.
</rant>
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3824#comment:2>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
