Potential remote crashes
Timo Sirainen
tss at iki.fi
Thu May 8 15:24:32 CEST 2003
On Thu, 2003-05-08 at 16:15, Timo Sirainen wrote:
> size_t count = min(yysave->size, avail-2);
>
> memcpy(buf, yysave->t.text, count );
>
> If avail is 0 or 1, count is set to (size_t)-1 or -2 and memcpy()
> crashes. I'm not sure if that can happen though, it's not so obvious
> when and how this function gets called..
Sorry, of course it gets set to yysave->size. Is this fully exploitable
buffer overflow then?
More information about the bogofilter-dev
mailing list