Permalink
Browse files

Fixed two buffer underflow bugs in concatHDR.

When indata contains just "\n" and n==1, concatHDR would read the byte
before indata.  Also, headers with leading spaces would cause the byte
before the allocated outdata to be written, causing corruption in the
allocation chains.
  • Loading branch information...
1 parent 03c19bf commit cb1ec39bfb381ea30b08307fae4575b70445a616 @bruceg committed Oct 1, 2008
Showing with 6 additions and 2 deletions.
  1. +2 −0 CHANGES.idx
  2. +4 −2 concatHDR.c
View
@@ -35,6 +35,8 @@ ezmlm-idx-0.445, ????????
- Fixed an extremely rare bug with single-byte buffers.
+- Fixed a buffer underflow bug in concatHDR.
+
ezmlm-idx-0.444, 20061123
=========================
View
@@ -27,7 +27,8 @@ void concatHDR(char *indata,
if (n == 0) return;
cplast = indata + n - 1;
cp = cplast;
- while (*cplast == '\0' || *cplast == '\n') --cplast;
+ while (cplast >= indata && (*cplast == '\0' || *cplast == '\n'))
+ --cplast;
if (cp == cplast) die_nomem(); /* just in case */
*(++cplast) = '\n'; /* have terminal '\n' */
cp = indata;
@@ -36,7 +37,8 @@ void concatHDR(char *indata,
while (*cp != '\n') *(cpout++) = *(cp++); /* text */
++cp; /* skip \n */
--cpout; /* last char */
- while (*cpout == ' ' || *cpout == '\t') --cpout; /* LWSP after */
+ while (cpout >= outdata->s && (*cpout == ' ' || *cpout == '\t'))
+ --cpout; /* LWSP after */
*(++cpout) = ' '; /* replace with single ' ' */
++cpout; /* point to free byte */
}

0 comments on commit cb1ec39

Please sign in to comment.