hypermail core dump - buffer overflow

From: Ron Stanonik <stanonik_at_cogsci.ucsd.edu_at_hypermail-project.org>
Date: Mon, 25 Jan 1999 07:25:14 -0800
Message-Id: <9901251525.AA27051_at_cogsci.UCSD.EDU>

Sorry if you've already seen this. I didn't see my posting in the archives, www.landfield seemed to be down about the time I posted, and I wasn't subscribed at the time.

We ran into a problem with hypermail core dumping when parsing messages with long lines, QP encoded with soft line breaks. The problem was a buffer overflow, which the appended diff seems to have fixed.

The messages were coming from Outlook Express, multipart/alternative, the alternatives being text and html. It appears the messages were composed as html, then Outlook Express generated the text alternative by turning each paragraph into one line, QP encoded with soft line breaks (= at the end of the maximum 76 character lines to satisfy mime's maximum line length requirement). When the decoded line exceeded the size of tempbuff, then hypermail would core dump.

Thanks,

Ron Stanonik
stanonik_at_cogsci.ucsd.edu

• string.c 1999/01/20 16:08:25 1.1 --- string.c 1999/01/21 04:09:38

  ---

• 701,712 **** } if (lastpos < input) { int size; - sprintf(tempbuff, "%.*s", input-lastpos, lastpos);

! size = strlen(tempbuff);   

        if(out + size < outsize) {
!         strcpy(output, tempbuff);
          output += size;
          out += size;
        }

--- 701,711 ----

    }
    if (lastpos < input) {

        int size;   

! size = input-lastpos;   

        if(out + size < outsize) {
!         sprintf(output, "%.*s", input-lastpos, lastpos);
          output += size;
          out += size;
        }

Received on Mon 25 Jan 1999 05:29:49 PM GMT