close
Comments you submit will be routed for moderation. If you have an account, please log in first.
Modify

Opened 13 months ago

Closed 13 months ago

Last modified 12 months ago

#449 closed bug (fixed)

RFC2047 decoding writes one byte too much for certain strings

Reported by: tboeckel Owned by: tboeckel
Priority: normal Milestone: YAM 2.9
Component: MIME handling Version: 2.8p1
Severity: major Keywords: RFC2047 buffer overrun
Cc: OS Platform:
Blocked By: Blocking:
Release Notes:

fixed a buffer overrun in the RFC 2014 decoding routines which potentially caused unexpected crashes.

Description

Summary

With certains mails YAM's RFC 2047 decoding writes one byte too much to a destination buffer causing a buffer overrun. The byte is always a single NUL byte. The Wipeout hit points to the mime/rfc2047.c line 877.

Steps to reproduce

  1. Open the example mail

Attachments (2)

rfc2047crash.eml (3.9 KB) - added by tboeckel 13 months ago.
Example mail causing the Wipeout hit
wipeouthit.txt (3.8 KB) - added by tboeckel 13 months ago.
Wipeout hit when opening the mail

Download all attachments as: .zip

Change History (4)

Changed 13 months ago by tboeckel

Example mail causing the Wipeout hit

Changed 13 months ago by tboeckel

Wipeout hit when opening the mail

comment:1 Changed 13 months ago by tboeckel

  • Resolution set to fixed
  • Status changed from new to closed

(In [7301]) * mime/base64.c: the output buffer for the decoding was always one byte too small to keep the terminating NUL byte. This always went unnoticed even when running tools like Wipeout/Mungwall if the length of the source string was not a multiple of 8. In this case the granularity of AmigaOS' memory system shadowed this buffer overrun. Only for source strings with a length being an exact multiple of 8 bytes the buffer overrun eventually really happend. This closes #449.

comment:2 Changed 12 months ago by damato

  • Release Notes modified (diff)

Add Comment

Modify Ticket

Action
as closed The owner will remain tboeckel.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.

This list contains all users that will be notified about changes made to this ticket.

These roles will be notified: Reporter, Owner, Subscriber

  • Thore Böckelmann(Reporter, Owner, Participant)