STRLCPY/neomutt

imap: fix oob write during debug on 32 bit systems

If an imap server returns a length of 4294967285 bytes for message
headers, then buffer allocation in imap_read_literal may lead to a 0
byte allocation in mutt_buffer_alloc on 32 bit systems.

The allocation itself at this point is a realloc(NULL, 0). The result
is implementation-dependent. Systems might return NULL or return a
pointer which, according to standard, may only be passed to free.

But mutt_buffer_alloc writes '\0' into the memory. This actually works
on Linux with glibc, but OpenBSD is quite strict about it and crashes
the program.

Last but not least requirement to reproduce this: neomutt must be
run with a debug level of at least IMAP_LOG_LTRL.

Signed-off-by: Tobias Stoeckmann <[email protected]>

Tobias Stoeckmann committed with Richard Russon 2 years ago

7068adc3

1 parent 81d1d1a3

Total 2 files Show one by one

■ ■ ■ ■ ■ ■

imap/imap.c

		skipped 603 lines
604	604
605	605		const short c_debug_level = cs_subset_number(NeoMutt->sub, "debug_level");
606	606		if (c_debug_level >= IMAP_LOG_LTRL)
607		-	mutt_buffer_alloc(&buf, bytes + 10);
	607	+	mutt_buffer_alloc(&buf, bytes + 1);
608	608
609	609		mutt_debug(LL_DEBUG2, "reading %lu bytes\n", bytes);
610	610
		skipped 1904 lines

■ ■ ■ ■ ■ ■

mutt/buffer.c

		skipped 29 lines
30	30		#include "config.h"
31	31		#include <stdarg.h>
32	32		#include <stdbool.h>
	33	+	#include <stdint.h>
33	34		#include <stdio.h>
34	35		#include <string.h>
35	36		#include "buffer.h"
		skipped 237 lines
273	274		const bool was_empty = (buf->dptr == NULL);
274	275		const size_t offset = (buf->dptr && buf->data) ? (buf->dptr - buf->data) : 0;
275	276
276		-	buf->dsize = ROUND_UP(new_size + 1, BufferStepSize);
	277	+	if (new_size > SIZE_MAX - BufferStepSize)
	278	+	buf->dsize = SIZE_MAX;
	279	+	else
	280	+	buf->dsize = ROUND_UP(new_size + 1, BufferStepSize);
277	281		mutt_mem_realloc(&buf->data, buf->dsize);
278	282		mutt_buffer_seek(buf, offset);
279	283
		skipped 192 lines