[Users] [Bug 3573] New: Out of bounds read in macro LBREAK_IF_REQUIRED in codeconv.c
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Sun Nov 29 11:53:01 CET 2015
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3573
Bug ID: 3573
Summary: Out of bounds read in macro LBREAK_IF_REQUIRED in
codeconv.c
Classification: Unclassified
Product: Claws Mail
Version: GIT
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Other
Assignee: users at lists.claws-mail.org
Reporter: hanno at hboeck.de
Created attachment 1613
-->
http://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=1613&action=edit
[patch] Fix invalid memory access in LBREAK_IF_REQUIRED
I discovered an out of bounds read in claws-mail when trying to reply to
certain mails when testing with Address Sanitizer.
I figured out the code causing this is in the macro LBREAK_IF_REQUIRED in
codeconv.c. This is the code in question:
} else if (destp == (guchar *)dest && left < 7) { \
if (isspace(*(destp - 1))) \
destp--; \
else if (is_plain_text && isspace(*srcp)) \
srcp++; \
If I understand the code correctly the (isspace(*(destp - 1))) does not make
any sense. It only gets triggered if destp and dest are identical, thus it
means destp points to the beginning of the buffer. Therefore destp-1 is always
pointing to invalid memory.
(This check probably got copied from some lines above. There the check is
valid, because that code part gets executed when destp is bigger than dest).
So this part of the if-clause should be removed. Patch attached.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list