fix potential buffer overflow in off-by-one bounds checking error

author john beck <john.beck@oracle.com>

Fri, 22 Feb 2013 16:30:40 +0000 (16:30 +0000)

committer john beck <john.beck@oracle.com>

Fri, 22 Feb 2013 16:30:40 +0000 (16:30 +0000)
author john beck <john.beck@oracle.com>
Fri, 22 Feb 2013 16:30:40 +0000 (16:30 +0000)
committer john beck <john.beck@oracle.com>
Fri, 22 Feb 2013 16:30:40 +0000 (16:30 +0000)
diff --git a/rfc1524.c b/rfc1524.c

index 1baca7488f728f5c543c20ab29200cb375c4dac6..ccd78c112b71fd3c9617d98d061261927c2940a1 100644 (file)
--- a/rfc1524.c
+++ b/rfc1524.c
@@ -68,7 +68,7 @@ int rfc1524_expand_command (BODY *a, char *filename, char *_type,
    if (option (OPTMAILCAPSANITIZE))
      mutt_sanitize_filename (type, 0);
  
-  while (x < clen && command[x] && y < sizeof (buf) - 1)
+  while (x < clen - 1 && command[x] && y < sizeof (buf) - 1)
    {
      if (command[x] == '\\')
      {
diff --git a/sendlib.c b/sendlib.c

index c1c32fbda8ec2df57bb58a34342e249beda99bee..cede8534f1066a14e6253a1685d76f0f3a023d90 100644 (file)
--- a/sendlib.c
+++ b/sendlib.c
@@ -1664,7 +1664,7 @@ static int fold_one_header (FILE *fp, const char *tag, const char *value,
      /* find the next word and place it in `buf'. it may start with
       * whitespace we can fold before */
      next = find_word (p);
-    l = MIN(sizeof (buf), next - p);
+    l = MIN(sizeof (buf) - 1, next - p);
      memcpy (buf, p, l);
      buf[l] = 0;
author	john beck <john.beck@oracle.com>
	Fri, 22 Feb 2013 16:30:40 +0000 (16:30 +0000)
committer	john beck <john.beck@oracle.com>
	Fri, 22 Feb 2013 16:30:40 +0000 (16:30 +0000)
rfc1524.c		patch \| blob \| history
sendlib.c		patch \| blob \| history