Summary: | Patch to fix memory corruption in sc_html_read_line() | ||||||
---|---|---|---|---|---|---|---|
Product: | Claws Mail (GTK 2) | Reporter: | Fabian Keil <fk> | ||||
Component: | Other | Assignee: | users | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | ||||||
Priority: | P3 | ||||||
Version: | 3.10.0 | ||||||
Hardware: | All | ||||||
OS: | FreeBSD | ||||||
Attachments: |
|
Changes related to this bug have been committed. Please check latest Git and update the bug accordingly. You can also get the patch from: http://git.claws-mail.org/ ++ ChangeLog 2014-06-01 16:04:02.398289641 +0200 http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=8791822610f193b0ea29e17a8173e6fc68b5375f Merge: 07b2a97 5f52f11 Author: Colin Leroy <colin@colino.net> Date: Sun Jun 1 16:04:02 2014 +0200 Merge branch 'master' of file:///home/git/claws http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=5f52f113ac9fd054f10752febbfac340c38cddbe Author: Fabian Keil <fk@fabiankeil.de> Date: Sun Jun 1 13:55:20 2014 +0200 Fix bug #3201 "Fix memory corruption in sc_html_read_line()" Previously fread() could fill the whole buffer in which case buf[n] = '' messed up the stack. Introduced in d0c64a09 + 4ab3585743. Applied in master, thanks! Oops, the stupid mistake. Thanks Fabian! |
Created attachment 1375 [details] Patch to fix memory corruption in sc_html_read_line() The attached patch fixes crashes like this: (gdb) r Starting program: /usr/local/bin/claws-mail [New LWP 101445] [New Thread 80b006400 (LWP 101445)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 80b006400 (LWP 101445)] 0x00000000004c1c71 in sc_html_read_line (parser=0x80b1dda00) at html.c:466 466 index = parser->bufp - parser->buf->str; (gdb) p *parser $1 = {fp = 0x80b14d5e0, conv = 0x8056e1f50, symbol_table = 0x8056e1f00 <g_idle_funcs>, alt_symbol_table = 0x1, str = 0x80b0546c0, buf = 0x10000006c, bufp = 0x1f5 <Address 0x1f5 out of bounds>, state = SC_HTML_NORMAL, href = 0x0, newline = 0, empty_line = 0, space = 0, pre = 0} (gdb) where #0 0x00000000004c1c71 in sc_html_read_line (parser=0x80b1dda00) at html.c:466 #1 0x00000000004c1960 in sc_html_parse (parser=0x80b1ddac0) at html.c:395 #2 0x00000000005e538a in textview_show_html (textview=0x80b19dcc0, fp=0x806feb580, conv=0x80b14d5c0) at textview.c:1214 #3 0x00000000005e26f8 in textview_write_body (textview=0x80b19dcc0, mimeinfo=0x80b08a780) at textview.c:1067 [...] Note that parser's last byte got overwritten in #0.