From b2612e5cb1e89b9abf896060854b97d93fcb60e8 Mon Sep 17 00:00:00 2001 From: Rocco Rutte Date: Sun, 4 Nov 2007 18:14:25 +0100 Subject: [PATCH] Prevent mailto parsing buffer overflow by ignoring too long header. If they're longer than our buffer, we can't turn it into a header to be parsed by mutt_parse_rfc822_line() anyway, so we bail out in this case. Also make main() catchup mailto parsing errors. Closes #2980. --- main.c | 10 +++++++++- url.c | 18 ++++++++++++------ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/main.c b/main.c index 03543e1a9..0b814ee90 100644 --- a/main.c +++ b/main.c @@ -829,7 +829,15 @@ int main (int argc, char **argv) for (i = optind; i < argc; i++) { if (url_check_scheme (argv[i]) == U_MAILTO) - url_parse_mailto (msg->env, &bodytext, argv[i]); + { + if (url_parse_mailto (msg->env, &bodytext, argv[i]) < 0) + { + if (!option (OPTNOCURSES)) + mutt_endwin (NULL); + fputs (_("Failed to parse mailto: link\n"), stderr); + exit (1); + } + } else msg->env->to = rfc822_parse_adrlist (msg->env->to, argv[i]); } diff --git a/url.c b/url.c index 14a902413..b0e6cb3db 100644 --- a/url.c +++ b/url.c @@ -217,7 +217,7 @@ int url_parse_mailto (ENVELOPE *e, char **body, const char *src) char *tag, *value; char scratch[HUGE_STRING]; - int taglen; + int taglen, rc = 0; LIST *last = NULL; @@ -250,19 +250,25 @@ int url_parse_mailto (ENVELOPE *e, char **body, const char *src) if (body) mutt_str_replace (body, value); } - else + else if ((taglen = mutt_strlen (tag)) <= sizeof (scratch) - 2) { - taglen = strlen (tag); - /* mutt_parse_rfc822_line makes some assumptions */ + /* only try to parse if we can format it as header for + * mutt_parse_rfc822_line (tag fits in scratch) */ snprintf (scratch, sizeof (scratch), "%s: %s", tag, value); scratch[taglen] = '\0'; value = &scratch[taglen+1]; SKIPWS (value); mutt_parse_rfc822_line (e, NULL, scratch, value, 1, 0, 0, &last); } + else + { + rc = -1; + goto out; + } } - + +out: FREE (&tmp); - return 0; + return rc; } -- 2.40.0