diff options
author | David Edmondson <dme@dme.org> | 2010-04-28 11:45:41 +0100 |
---|---|---|
committer | Carl Worth <cworth@cworth.org> | 2010-06-01 16:09:29 -0700 |
commit | 1671eaecdb69133bc88fd212c77b68122fa27600 (patch) | |
tree | 197b485e31aef0f2e7edd6716e24399711d2e4e1 /gmime-filter-headers.c | |
parent | 1d528f890ad34d0de596b09024f35216947de063 (diff) |
notmuch: Fix off-by-one errors if a header is >200 characters long.
If a single header is more than 200 characters long a set of 'off by
one' errors cause memory corruption.
When allocating memory with:
a = malloc (len);
the last usable byte of the memory is 'a + len - 1' rather than 'a +
len'.
Fix the same bug when calculating the current offset should the buffer
used for collecting the output header need to be reallocated.
Diffstat (limited to 'gmime-filter-headers.c')
-rw-r--r-- | gmime-filter-headers.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/gmime-filter-headers.c b/gmime-filter-headers.c index 2f3df80..7db3779 100644 --- a/gmime-filter-headers.c +++ b/gmime-filter-headers.c @@ -169,7 +169,7 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace, headers->lineptr = headers->line = malloc (headers->line_size); } lineptr = headers->lineptr; - lineend = headers->line + headers->line_size; + lineend = headers->line + headers->line_size - 1; if (lineptr == NULL) return; outptr = filter->outbuf; @@ -185,8 +185,8 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace, if (lineptr == lineend) { headers->line_size *= 2; headers->line = xrealloc (headers->line, headers->line_size); - lineptr = headers->line + headers->line_size / 2; - lineend = headers->line + headers->line_size; + lineptr = headers->line + (headers->line_size / 2) - 1; + lineend = headers->line + headers->line_size - 1; } if (headers->saw_nl && *inptr != ' ' && *inptr != '\t') { |