PATCH: mdecode2047() buffer overrun

From: David D. Kilzer <>
Date: Fri, 07 Aug 1998 19:09:27 -0500
Message-Id: <>

[I just switched from digest mode (which hasn't sent anything for over a month or two) to regular mode, so I may have missed some mail traffic.]

Whilst hacking a user-requested feature into Hypermail (they want to set a second "label" for each monthly archive that can be included as a "percent-character" item), I found a buffer overrun bug in mdecode2047() that results in a seg fault or bus error. This only happens when a header line is more than MAXLINE-1 characters and the message is a MIME-encoded message ("Mime-Version: 1.0").

This may have already been fixed by Kevin, but I had to develop a patch to get it working in the meantime. It's included below, along with a "test" message if you're interested in regression testing.

BTW, I'm not planning to send a patch for my user-requested feature, but if anyone's interested, I will make one. It uses "%L" for header/footer replacement, "-L" for a command line switch, and defaults to "Mmm YYYY" as a default, for example, "Aug 1998".


David D. Kilzer              \     Dr. Beverly Crusher, Stardate 44181.2:
Software Designer            /   ``If there's nothing wrong with me, maybe
Raytheon Systems Company     \   there's something wrong with the universe.''              /       _Star Trek: The Next Generation_

------- Patch
--- parse.c.cln Thu Aug 6 17:26:54 1998
+++ parse.c Thu Aug 6 18:02:26 1998

_at_@ -617,13 +617,15 @@

 static char *mdecodeRFC2047( char *string )  {

     char *iptr = string;
     char *oldptr;

- char storage[MAXLINE];
+ char *storage = emalloc(strlen(string)+1);    

     char *output = storage;    

_at_@ -725,10 +727,13 @@

-        return strsav(storage); /* return new */
+        return storage; /* return new */
+    {
+        free(storage);
         return string;

+ }

------- End of Patch

Received on Sat 08 Aug 1998 02:14:20 AM GMT

This archive was generated by hypermail 2.3.0 : Sat 13 Mar 2010 03:46:11 AM GMT GMT