Potential remote crashes
Timo Sirainen
tss at iki.fi
Thu May 8 15:15:54 CEST 2003
Did a small code audit. Looks pretty good in general, but found a few
things:
static int yy_use_redo_text(buff_t *buff)
{
size_t used = buff->t.leng;
size_t size = buff->size;
size_t avail = size - used;
byte *buf = buff->t.text+used;
size_t count = min(yysave->size, avail-2);
memcpy(buf, yysave->t.text, count );
If avail is 0 or 1, count is set to (size_t)-1 or -2 and memcpy()
crashes. I'm not sure if that can happen though, it's not so obvious
when and how this function gets called..
size_t qp_decode(word_t *word)
..
while (s < e)
{
byte ch = *s++;
if (ch == '=') {
ch = *s++;
if (ch != '\n') {
byte cx = *s++;
..
*d++ = '=';
*d++ = ch;
*d++ = cx;
continue;
..
*d = '\0';
If ch == '=' is missing checks if s still is less than e, but it still
updates d. Looks like that would allow writing \0 to 1 or 2 bytes after
malloc()ed data.
More information about the bogofilter-dev
mailing list