neomutt: fix crash in mutt_extract_token()

Sat, 09 Nov 2019 03:31:48 -0800 


Cherry-picked upstream commit from five days ago;  this lets me read
mails again.

OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/neomutt/Makefile,v
retrieving revision 1.40
diff -u -p -r1.40 Makefile
--- Makefile    7 Nov 2019 09:38:55 -0000       1.40
+++ Makefile    9 Nov 2019 11:28:47 -0000
@@ -5,7 +5,7 @@ COMMENT=        tty-based e-mail client, Mutt w
 GH_ACCOUNT=    neomutt
 GH_PROJECT=    neomutt
 GH_TAGNAME=    20191102
-REVISION=      0
+REVISION=      1
 DISTNAME=      neomutt-${GH_TAGNAME:S/-//g}
 
 CATEGORIES=    mail
Index: patches/patch-init_c
===================================================================
RCS file: patches/patch-init_c
diff -N patches/patch-init_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-init_c        9 Nov 2019 11:25:27 -0000
@@ -0,0 +1,70 @@
+$OpenBSD$
+
+From b486e37c1d5b5ea1b426f844a01c39c2827832dc Mon Sep 17 00:00:00 2001
+From: Richard Russon <r...@flatcap.org>
+Date: Mon, 4 Nov 2019 01:09:41 +0000
+Subject: [PATCH] fix crash in mutt_extract_token()
+
+The first attempt to fix the crash in mutt_extract_token() just moved
+the problem.  This refactors the code to simplify the shuffling of
+strings.
+
+Index: init.c
+--- init.c.orig
++++ init.c
+@@ -2735,9 +2735,6 @@ int mutt_extract_token(struct Buffer *dest, struct Buf
+     {
+       FILE *fp = NULL;
+       pid_t pid;
+-      char *ptr = NULL;
+-      size_t expnlen;
+-      struct Buffer expn;
+       int line = 0;
+ 
+       pc = tok->dptr;
+@@ -2783,7 +2780,7 @@ int mutt_extract_token(struct Buffer *dest, struct Buf
+       tok->dptr = pc + 1;
+ 
+       /* read line */
+-      mutt_buffer_init(&expn);
++      struct Buffer expn = mutt_buffer_make(0);
+       expn.data = mutt_file_read_line(NULL, &expn.dsize, fp, &line, 0);
+       mutt_file_fclose(&fp);
+       mutt_wait_filter(pid);
+@@ -2792,21 +2789,22 @@ int mutt_extract_token(struct Buffer *dest, struct Buf
+        * plus whatever else was left on the original line */
+       /* BUT: If this is inside a quoted string, directly add output to
+        * the token */
+-      if (expn.data && qc)
++      if (expn.data)
+       {
+-        mutt_buffer_addstr(dest, expn.data);
+-        FREE(&expn.data);
+-      }
+-      else if (expn.data)
+-      {
+-        expnlen = mutt_str_strlen(expn.data);
+-        tok->dsize = expnlen + mutt_str_strlen(tok->dptr) + 1;
+-        ptr = mutt_mem_malloc(tok->dsize);
+-        memcpy(ptr, expn.data, expnlen);
+-        strcpy(ptr + expnlen, tok->dptr);
+-        mutt_buffer_strcpy(tok, ptr);
+-        tok->dptr = tok->data;
+-        FREE(&ptr);
++        if (qc)
++        {
++          mutt_buffer_addstr(dest, expn.data);
++        }
++        else
++        {
++          struct Buffer *copy = mutt_buffer_pool_get();
++          mutt_buffer_fix_dptr(&expn);
++          mutt_buffer_copy(copy, &expn);
++          mutt_buffer_addstr(copy, tok->dptr);
++          mutt_buffer_copy(tok, copy);
++          tok->dptr = tok->data;
++          mutt_buffer_pool_release(&copy);
++        }
+         FREE(&expn.data);
+       }
+     }

Reply via email to