The attached patch fixes a buffer overflow in mutt's text/enriched
handler. Additionally, a second problem which may lead to unlimited
growth of the buffer in question is fixed.
Thanks to Andreas Kirchwitz for noting that there was a problem.
Index: handler.c
===================================================================
RCS file: /home/roessler/cvsroot/mutt/handler.c,v
retrieving revision 2.1.4.6
retrieving revision 2.1.4.7
diff -u -r2.1.4.6 -r2.1.4.7
--- handler.c 1999/06/08 09:42:14 2.1.4.6
+++ handler.c 1999/09/23 20:34:01 2.1.4.7
@@ -403,6 +403,7 @@
size_t indent_len;
size_t word_len;
size_t buff_used;
+ size_t param_used;
size_t param_len;
int tag_level[RICH_LAST_TAG];
int WrapMargin;
@@ -551,7 +552,10 @@
{
if (stte->tag_level[RICH_COLOR])
{
- stte->param[stte->param_len++] = c;
+ if (stte->param_used + 1 >= stte->param_len)
+ safe_realloc ((void **) &stte->param, (stte->param_len += STRING));
+
+ stte->param[stte->param_used++] = c;
}
return; /* nothing to do */
}
@@ -652,7 +656,7 @@
stte->tag_level[j]--;
if ((stte->s->flags & M_DISPLAY) && j == RICH_PARAM &&
stte->tag_level[RICH_COLOR])
{
- stte->param[stte->param_len] = '\0';
+ stte->param[stte->param_used] = '\0';
if (!mutt_strcasecmp(stte->param, "black"))
{
enriched_puts("\033[30m", stte);
@@ -685,13 +689,18 @@
{
enriched_puts("\033[37m", stte);
}
- stte->param_len = 0;
- stte->param[0] = '\0';
}
if ((stte->s->flags & M_DISPLAY) && j == RICH_COLOR)
{
enriched_puts("\033[0m", stte);
}
+
+ /* flush parameter buffer when closing the tag */
+ if (j == RICH_PARAM)
+ {
+ stte->param_used = 0;
+ stte->param[0] = '\0';
+ }
}
else
stte->tag_level[j]++;
@@ -719,6 +728,9 @@
stte.line_max = stte.WrapMargin * 4;
stte.line = (char *) safe_calloc (1, stte.line_max + 1);
stte.param = (char *) safe_calloc (1, STRING);
+
+ stte.param_len = STRING;
+ stte.param_used = 0;
if (s->prefix)
{
PGP signature