Potential remote crashes
David Relson
relson at osagesoftware.com
Thu May 8 16:46:39 CEST 2003
At 09:15 AM 5/8/03, Timo Sirainen wrote:
>Did a small code audit. Looks pretty good in general, but found a few
>things:
>
>static int yy_use_redo_text(buff_t *buff)
>{
> size_t used = buff->t.leng;
> size_t size = buff->size;
> size_t avail = size - used;
> byte *buf = buff->t.text+used;
> size_t count = min(yysave->size, avail-2);
>
> memcpy(buf, yysave->t.text, count );
>
>If avail is 0 or 1, count is set to (size_t)-1 or -2 and memcpy()
>crashes. I'm not sure if that can happen though, it's not so obvious
>when and how this function gets called..
yy_use_redo_text() is only called under special circumstances. It's uses
are many levels removed from the original message. I'll have to check how
"buff_t *buff" is created and used to see if avail-2 could ever generate a
negative value.
>size_t qp_decode(word_t *word)
>..
> while (s < e)
> {
> byte ch = *s++;
> if (ch == '=') {
> ch = *s++;
> if (ch != '\n') {
> byte cx = *s++;
>..
> *d++ = '=';
> *d++ = ch;
> *d++ = cx;
> continue;
>..
> *d = '\0';
>
>If ch == '=' is missing checks if s still is less than e, but it still
>updates d. Looks like that would allow writing \0 to 1 or 2 bytes after
>malloc()ed data.
I'll check this after some more pressing tasks are completed.
More information about the bogofilter-dev
mailing list