From 8df1ebaf407bb485bfe54e45358690c6ba6d1870 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 27 Mar 2011 10:52:47 +0200 Subject: [PATCH] fix (another) out-of-bounds access in CRLF conversion if the header contained no CRs but the body (or the post-TUID part of the header) did, the TUID insertion would add an excess CR, thus overflowing the buffer by one byte. --- src/sync.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/sync.c b/src/sync.c index 8c2f6b5..7f5fa70 100644 --- a/src/sync.c +++ b/src/sync.c @@ -211,7 +211,7 @@ msg_fetched( int sts, void *aux ) copy_vars_t *vars = (copy_vars_t *)aux; SVARS(vars->aux) char *fmap, *buf; - int i, len, extra, scr, tcr, lcrs, crs, lines; + int i, len, extra, scr, tcr, lcrs, hcrs, bcrs, lines; int start, sbreak = 0, ebreak = 0; char c; @@ -224,7 +224,7 @@ msg_fetched( int sts, void *aux ) if (vars->srec || scr != tcr) { fmap = vars->data.data; len = vars->data.len; - extra = lines = crs = i = 0; + extra = lines = hcrs = bcrs = i = 0; if (vars->srec) { nloop: start = i; @@ -239,7 +239,7 @@ msg_fetched( int sts, void *aux ) goto oke; } lines++; - crs += lcrs; + hcrs += lcrs; if (i - lcrs - 1 == start) { sbreak = ebreak = start; goto oke; @@ -253,17 +253,17 @@ msg_fetched( int sts, void *aux ) free( fmap ); return vars->cb( SYNC_NOGOOD, 0, vars ); oke: - extra += 8 + TUIDL + 1 + (tcr && crs); + extra += 8 + TUIDL + 1 + (tcr && hcrs); } if (tcr != scr) { for (; i < len; i++) { c = fmap[i]; if (c == '\r') - crs++; + bcrs++; else if (c == '\n') lines++; } - extra -= crs; + extra -= hcrs + bcrs; if (tcr) extra += lines; } @@ -294,7 +294,7 @@ msg_fetched( int sts, void *aux ) buf += 8; memcpy( buf, vars->srec->tuid, TUIDL ); buf += TUIDL; - if (tcr && crs) + if (tcr && hcrs) *buf++ = '\r'; *buf++ = '\n'; i = ebreak;