Version: nmh-1.0
OS: Linux 2.0.32 i586 (Slackware)
Problem: mhn throws SIGSEGV when used to view a document with many
attachments.
Cause: at sbr/m_getfld.c:262 a pointer is dereferenced (*bp++) before it
is known that it actually points inside a known string (--j >= 0). In
this instance, the string had been malloc()ed and by sheer coincidence
the location immediately after the string was the first byte of a new,
unmapped page, hence SEGV. In most cases, there will be valid mapped
memory immediately following the string, so the bug goes unnoticed.
Solution: test that the pointer refers to a valid piece of memory before
dereferencing it.
Patch:
--- sbr/m_getfld.c.orig Sat Aug 1 00:48:37 1998
+++ sbr/m_getfld.c Tue Apr 27 10:50:03 1999
@@ -259,8 +259,8 @@
bp = sp = (unsigned char *) iob->_ptr - 1;
j = (cnt = iob->_cnt+1) < i ? cnt : i;
#endif
- while ((c = *bp++) != ':' && c != '\n' && --j >= 0)
- *cp++ = c;
+ while (j > 0 && (c = *bp++) != ':' && c != '\n')
+ *cp++ = c, j--;
j = bp - sp;
if ((cnt -= j) <= 0) {
