[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in libta/mime2headers.c




Hi,

I think I found a serious bug in libta/mime2headers.c. We had some sm
processes allocating all memory of the machine (~250MB or so). gdb showed
it was in the function header8bit2QP(). There must be at least one problem
there. These are my patches, but I'm not sure if they are correct:

--- ../zmailer-2.99.42.orig/transports/libta/mime2headers.c	Sun Nov 24 15:34:13 1996
+++ transports/libta/mime2headers.c	Thu Nov 28 14:10:15 1996
@@ -73,7 +73,7 @@
 	    eightbitchars += 2;
 	  wordlen++;
 	}
-	if (wordlen+(*len)+has8bit*(eightbitchars) >= MAXENCODEDLINE) {
+	if (wordlen && wordlen+(*len)+has8bit*(eightbitchars) >= MAXENCODEDLINE) {
 	  has8bit = 1;
 	  wordlen--;
 	  c = *(*line+wordlen);
@@ -167,7 +167,7 @@
 	  hdr_offset++;
 	ptr = line;
 #endif
-	while (*ptr != '\0') {
+	while (*ptr != '\0' && 0 == lines) {
 	  int wlen;
 	  if (header8bit2QPnextword(&ptr, word, &len, &inside, tmp, fold, hdr_offset)) {
 	    lines++;


The first problem is the call to header8bit2QPnextword(). If this does not
change ptr, the while will loop forever, slowly allocating all available
memory. And I don't know what purpose serves the variable lines. It is
never tested, just incremented. I added the test for lines==0 in the while
condition to break the infinite loop.

Another problem is in the function header8bit2QPnextword() itself. It may
be that wordlen is never incremented, and then the statement wordlen--
might lead to negative indices, possibly referring to bad memory. This is
why I added the test into the "if" condition.

Maybe someone can provide a better fix.

Greetings, Swen