close
Comments you submit will be routed for moderation. If you have an account, please log in first.
Modify

Opened 10 months ago

Closed 10 months ago

Last modified 9 months ago

#449 closed bug (fixed)

RFC2047 decoding writes one byte too much for certain strings

Reported by: tboeckel Owned by: tboeckel
Priority: normal Milestone: YAM 2.9
Component: MIME handling Version: 2.8p1
Severity: major Keywords: RFC2047 buffer overrun
Cc: OS Platform:
Blocked By: Blocking:
Release Notes:

fixed a buffer overrun in the RFC 2014 decoding routines which potentially caused unexpected crashes.

Description

Summary

With certains mails YAM's RFC 2047 decoding writes one byte too much to a destination buffer causing a buffer overrun. The byte is always a single NUL byte. The Wipeout hit points to the mime/rfc2047.c line 877.

Steps to reproduce

  1. Open the example mail

Attachments (2)

rfc2047crash.eml (3.9 KB) - added by tboeckel 10 months ago.
Example mail causing the Wipeout hit
wipeouthit.txt (3.8 KB) - added by tboeckel 10 months ago.
Wipeout hit when opening the mail

Download all attachments as: .zip

Change History (4)

Changed 10 months ago by tboeckel

Example mail causing the Wipeout hit

Changed 10 months ago by tboeckel

Wipeout hit when opening the mail

comment:1 Changed 10 months ago by tboeckel

  • Resolution set to fixed
  • Status changed from new to closed

(In [7301]) * mime/base64.c: the output buffer for the decoding was always one byte too small to keep the terminating NUL byte. This always went unnoticed even when running tools like Wipeout/Mungwall if the length of the source string was not a multiple of 8. In this case the granularity of AmigaOS' memory system shadowed this buffer overrun. Only for source strings with a length being an exact multiple of 8 bytes the buffer overrun eventually really happend. This closes #449.

comment:2 Changed 9 months ago by damato

  • Release Notes modified (diff)

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.

This list contains all users that will be notified about changes made to this ticket.

These roles will be notified: Reporter, Owner, Subscriber

  • Thore Böckelmann(Reporter, Owner, Participant)