Bug 3201 - Patch to fix memory corruption in sc_html_read_line()
Summary: Patch to fix memory corruption in sc_html_read_line()
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Other (show other bugs)
Version: 3.10.0
Hardware: All FreeBSD
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2014-06-01 14:21 UTC by Fabian Keil
Modified: 2014-06-01 19:01 UTC (History)
0 users

See Also:

Attachments
Patch to fix memory corruption in sc_html_read_line() (824 bytes, patch)
2014-06-01 14:21 UTC, Fabian Keil 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Fabian Keil 2014-06-01 14:21:20 UTC 
Created attachment 1375 [details]
Patch to fix memory corruption in sc_html_read_line()

The attached patch fixes crashes like this:

(gdb) r
Starting program: /usr/local/bin/claws-mail 
[New LWP 101445]
[New Thread 80b006400 (LWP 101445)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 80b006400 (LWP 101445)]
0x00000000004c1c71 in sc_html_read_line (parser=0x80b1dda00) at html.c:466
466		index = parser->bufp - parser->buf->str;
(gdb) p *parser
$1 = {fp = 0x80b14d5e0, conv = 0x8056e1f50, symbol_table = 0x8056e1f00 <g_idle_funcs>, alt_symbol_table = 0x1, str = 0x80b0546c0, buf = 0x10000006c, bufp = 0x1f5 <Address 0x1f5 out of bounds>, 
  state = SC_HTML_NORMAL, href = 0x0, newline = 0, empty_line = 0, space = 0, pre = 0}
(gdb) where
#0  0x00000000004c1c71 in sc_html_read_line (parser=0x80b1dda00) at html.c:466
#1  0x00000000004c1960 in sc_html_parse (parser=0x80b1ddac0) at html.c:395
#2  0x00000000005e538a in textview_show_html (textview=0x80b19dcc0, fp=0x806feb580, conv=0x80b14d5c0) at textview.c:1214
#3  0x00000000005e26f8 in textview_write_body (textview=0x80b19dcc0, mimeinfo=0x80b08a780) at textview.c:1067
[...]

Note that parser's last byte got overwritten in #0.
Comment 1 users 2014-06-01 16:04:02 UTC 
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2014-06-01 16:04:02.398289641 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=8791822610f193b0ea29e17a8173e6fc68b5375f
Merge: 07b2a97 5f52f11
Author: Colin Leroy <colin@colino.net>
Date:   Sun Jun 1 16:04:02 2014 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=5f52f113ac9fd054f10752febbfac340c38cddbe
Author: Fabian Keil <fk@fabiankeil.de>
Date:   Sun Jun 1 13:55:20 2014 +0200

    Fix bug #3201 "Fix memory corruption in sc_html_read_line()"
    
    Previously fread() could fill the whole buffer
    in which case buf[n] = '' messed up the stack.
    
    Introduced in d0c64a09 + 4ab3585743.
Comment 2 Ricardo Mones 2014-06-01 16:05:58 UTC 
Applied in master, thanks!
Comment 3 Colin Leroy 2014-06-01 19:01:13 UTC 
Oops, the stupid mistake. Thanks Fabian!
Note You need to log in before you can comment on or make changes to this bug.