From 216466b34724147465fb3ac7461f69cbdf962eaf Mon Sep 17 00:00:00 2001 From: Brendan Cully Date: Fri, 20 Jul 2012 12:32:44 -0700 Subject: [PATCH] Do not use stack-allocated space for BUFFERs It will cause mutt_buffer_* to segfault if it needs to grow the space. Thanks to Steve Losh for discovering the issue. I have done some simple grepping to find other cases, but some may remain. --- commands.c | 14 ++++++++------ hook.c | 24 +++++++++++++++--------- init.c | 38 +++++++++++++++++++++++++------------- pattern.c | 17 ++++++++++------- 4 files changed, 58 insertions(+), 35 deletions(-) diff --git a/commands.c b/commands.c index f9c202515..bc1036bdd 100644 --- a/commands.c +++ b/commands.c @@ -611,27 +611,29 @@ void mutt_shell_escape (void) void mutt_enter_command (void) { BUFFER err, token; - char buffer[LONG_STRING], errbuf[LONG_STRING]; + char buffer[LONG_STRING]; int r; buffer[0] = 0; if (mutt_get_field (":", buffer, sizeof (buffer), M_COMMAND) != 0 || !buffer[0]) return; - err.data = errbuf; - err.dsize = sizeof (errbuf); + err.dsize = STRING; + err.data = safe_malloc(err.dsize); memset (&token, 0, sizeof (token)); r = mutt_parse_rc_line (buffer, &token, &err); FREE (&token.data); - if (errbuf[0]) + if (err.data[0]) { /* since errbuf could potentially contain printf() sequences in it, we must call mutt_error() in this fashion so that vsprintf() doesn't expect more arguments that we passed */ if (r == 0) - mutt_message ("%s", errbuf); + mutt_message ("%s", err.data); else - mutt_error ("%s", errbuf); + mutt_error ("%s", err.data); } + + FREE (&err.data); } void mutt_display_address (ENVELOPE *env) diff --git a/hook.c b/hook.c index 2e4429845..3fdcfb2a2 100644 --- a/hook.c +++ b/hook.c @@ -279,12 +279,11 @@ void mutt_folder_hook (char *path) { HOOK *tmp = Hooks; BUFFER err, token; - char buf[STRING]; current_hook_type = M_FOLDERHOOK; - err.data = buf; - err.dsize = sizeof (buf); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); memset (&token, 0, sizeof (token)); for (; tmp; tmp = tmp->next) { @@ -301,12 +300,15 @@ void mutt_folder_hook (char *path) FREE (&token.data); mutt_sleep (1); /* pause a moment to let the user see the error */ current_hook_type = 0; + FREE (&err.data); + return; } } } } FREE (&token.data); + FREE (&err.data); current_hook_type = 0; } @@ -328,12 +330,11 @@ void mutt_message_hook (CONTEXT *ctx, HEADER *hdr, int type) { BUFFER err, token; HOOK *hook; - char buf[STRING]; current_hook_type = type; - err.data = buf; - err.dsize = sizeof (buf); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); memset (&token, 0, sizeof (token)); for (hook = Hooks; hook; hook = hook->next) { @@ -348,10 +349,14 @@ void mutt_message_hook (CONTEXT *ctx, HEADER *hdr, int type) mutt_error ("%s", err.data); mutt_sleep (1); current_hook_type = 0; + FREE (&err.data); + return; } } FREE (&token.data); + FREE (&err.data); + current_hook_type = 0; } @@ -467,13 +472,12 @@ void mutt_account_hook (const char* url) HOOK* hook; BUFFER token; BUFFER err; - char buf[STRING]; if (inhook) return; - err.data = buf; - err.dsize = sizeof (buf); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); memset (&token, 0, sizeof (token)); for (hook = Hooks; hook; hook = hook->next) @@ -489,6 +493,7 @@ void mutt_account_hook (const char* url) { FREE (&token.data); mutt_error ("%s", err.data); + FREE (&err.data); mutt_sleep (1); inhook = 0; @@ -500,5 +505,6 @@ void mutt_account_hook (const char* url) } FREE (&token.data); + FREE (&err.data); } #endif diff --git a/init.c b/init.c index eea028130..a3ec23258 100644 --- a/init.c +++ b/init.c @@ -2731,7 +2731,6 @@ int mutt_query_variables (LIST *queries) { LIST *p; - char errbuff[LONG_STRING]; char command[STRING]; BUFFER err, token; @@ -2739,8 +2738,8 @@ int mutt_query_variables (LIST *queries) memset (&err, 0, sizeof (err)); memset (&token, 0, sizeof (token)); - err.data = errbuff; - err.dsize = sizeof (errbuff); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); for (p = queries; p; p = p->next) { @@ -2749,12 +2748,16 @@ int mutt_query_variables (LIST *queries) { fprintf (stderr, "%s\n", err.data); FREE (&token.data); + FREE (&err.data); + return 1; } printf ("%s\n", err.data); } FREE (&token.data); + FREE (&err.data); + return 0; } @@ -2763,7 +2766,6 @@ int mutt_dump_variables (void) { int i; - char errbuff[LONG_STRING]; char command[STRING]; BUFFER err, token; @@ -2771,8 +2773,8 @@ int mutt_dump_variables (void) memset (&err, 0, sizeof (err)); memset (&token, 0, sizeof (token)); - err.data = errbuff; - err.dsize = sizeof (errbuff); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); for (i = 0; MuttVars[i].option; i++) { @@ -2784,12 +2786,16 @@ int mutt_dump_variables (void) { fprintf (stderr, "%s\n", err.data); FREE (&token.data); + FREE (&err.data); + return 1; } printf("%s\n", err.data); } FREE (&token.data); + FREE (&err.data); + return 0; } @@ -2841,11 +2847,10 @@ static void start_debug (void) static int mutt_execute_commands (LIST *p) { BUFFER err, token; - char errstr[SHORT_STRING]; memset (&err, 0, sizeof (err)); - err.data = errstr; - err.dsize = sizeof (errstr); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); memset (&token, 0, sizeof (token)); for (; p; p = p->next) { @@ -2853,10 +2858,14 @@ static int mutt_execute_commands (LIST *p) { fprintf (stderr, _("Error in command line: %s\n"), err.data); FREE (&token.data); - return (-1); + FREE (&err.data); + + return -1; } } FREE (&token.data); + FREE (&err.data); + return 0; } @@ -2881,13 +2890,14 @@ void mutt_init (int skip_sys_rc, LIST *commands) { struct passwd *pw; struct utsname utsname; - char *p, buffer[STRING], error[STRING]; + char *p, buffer[STRING]; int i, default_rc = 0, need_pause = 0; BUFFER err; memset (&err, 0, sizeof (err)); - err.data = error; - err.dsize = sizeof (error); + err.dsize = STRING; + err.data = safe_malloc(err.dsize); + err.dptr = err.data; Groups = hash_create (1031, 0); ReverseAlias = hash_create (1031, 1); @@ -3150,6 +3160,8 @@ void mutt_init (int skip_sys_rc, LIST *commands) #if 0 set_option (OPTWEED); /* turn weeding on by default */ #endif + + FREE (&err.data); } int mutt_get_hook_type (const char *name) diff --git a/pattern.c b/pattern.c index 310d2eed8..55841b3d0 100644 --- a/pattern.c +++ b/pattern.c @@ -1288,7 +1288,7 @@ void mutt_check_simple (char *s, size_t len, const char *simple) int mutt_pattern_func (int op, char *prompt) { pattern_t *pat; - char buf[LONG_STRING] = "", *simple, error[STRING]; + char buf[LONG_STRING] = "", *simple; BUFFER err; int i; progress_t progress; @@ -1303,12 +1303,13 @@ int mutt_pattern_func (int op, char *prompt) mutt_check_simple (buf, sizeof (buf), NONULL (SimpleSearch)); memset (&err, 0, sizeof(err)); - err.data = error; - err.dsize = sizeof (error); + err.dsize = STRING; + err.data = safe_malloc(err.dsize); if ((pat = mutt_pattern_comp (buf, M_FULL_MSG, &err)) == NULL) { FREE (&simple); mutt_error ("%s", err.data); + FREE (&err.data); return (-1); } @@ -1396,6 +1397,8 @@ int mutt_pattern_func (int op, char *prompt) } FREE (&simple); mutt_pattern_free (&pat); + FREE (&err.data); + return 0; } @@ -1404,7 +1407,6 @@ int mutt_search_command (int cur, int op) int i, j; char buf[STRING]; char temp[LONG_STRING]; - char error[STRING]; int incr; HEADER *h; progress_t progress; @@ -1437,11 +1439,12 @@ int mutt_search_command (int cur, int op) strfcpy (LastSearch, buf, sizeof (LastSearch)); mutt_message _("Compiling search pattern..."); mutt_pattern_free (&SearchPattern); - err.data = error; - err.dsize = sizeof (error); + err.dsize = STRING; + err.data = safe_malloc (err.dsize); if ((SearchPattern = mutt_pattern_comp (temp, M_FULL_MSG, &err)) == NULL) { - mutt_error ("%s", error); + mutt_error ("%s", err.data); + FREE (&err.data); LastSearch[0] = '\0'; return (-1); } -- 2.40.0