[Users] [Bug 3573] New: Out of bounds read in macro LBREAK_IF_REQUIRED in codeconv.c

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Sun Nov 29 11:53:01 CET 2015


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3573

            Bug ID: 3573
           Summary: Out of bounds read in macro LBREAK_IF_REQUIRED in
                    codeconv.c
    Classification: Unclassified
           Product: Claws Mail
           Version: GIT
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
          Assignee: users at lists.claws-mail.org
          Reporter: hanno at hboeck.de

Created attachment 1613
  -->
http://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1613&action=edit
[patch] Fix invalid memory access in LBREAK_IF_REQUIRED

I discovered an out of bounds read in claws-mail when trying to reply to
certain mails when testing with Address Sanitizer.

I figured out the code causing this is in the macro LBREAK_IF_REQUIRED in
codeconv.c. This is the code in question:


        } else if (destp == (guchar *)dest && left < 7) {    \
            if (isspace(*(destp - 1)))            \
                destp--;                \
            else if (is_plain_text && isspace(*srcp))    \
                srcp++;                    \

If I understand the code correctly the (isspace(*(destp - 1))) does not make
any sense. It only gets triggered if destp and dest are identical, thus it
means destp points to the beginning of the buffer. Therefore destp-1 is always
pointing to invalid memory.

(This check probably got copied from some lines above. There the check is
valid, because that code part gets executed when destp is bigger than dest).

So this part of the if-clause should be removed. Patch attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.



More information about the Users mailing list