diff options
author | Kevin McCarthy <kevin@8t8.us> | 2023-09-03 14:11:48 +0800 |
---|---|---|
committer | Kevin McCarthy <kevin@8t8.us> | 2023-09-09 14:31:19 +0800 |
commit | a4752eb0ae0a521eec02e59e51ae5daedf74fda0 (patch) | |
tree | 6ba9505963f2a07745f9d81a739924f1b9ce8a37 | |
parent | 4cc3128abdf52c615911589394a03271fddeefc6 (diff) |
Fix write_one_header() illegal header check.
This is another crash caused by the rfc2047 decoding bug fixed in the
second prior commit.
In this case, an empty header line followed by a header line starting
with ":", would result in t==end.
The mutt_substrdup() further below would go very badly at that point,
with t >= end+1. This could result in either a memcpy onto NULL or a
huge malloc call.
Thanks to Chenyuan Mi (@morningbread) for giving a working example
draft message of the rfc2047 decoding flaw. This allowed me, with
further testing, to discover this additional crash bug.
-rw-r--r-- | sendlib.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen, else { t = strchr (start, ':'); - if (!t || t > end) + if (!t || t >= end) { dprint (1, (debugfile, "mwoh: warning: header not in " "'key: value' format!\n")); |