Bug 31676

Summary: converters/mpack heap buffer overflow in header parsing code
Product: Ports & Packages Reporter: Tim J. Robbins <tim>
Component: Individual Port(s)Assignee: Andrey A. Chernov <ache>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Tim J. Robbins 2001-11-01 00:00:00 UTC 
The `left' variable, which counts the number of bytes left in the buffer,
is not updated properly when realloc() is called to increase the size of
the buffer.

Fix: The patch I had posted to the ports@FreeBSD.org mailing list earlier
was not correct. I believe this one is:
How-To-Repeat: Cause a message with a Content-Disposition or parameter to another header
that exceeds 2*1024 characters in length to be unpacked with munpack.

2048 chars isn't enough to crash it although memory is overwritten at
that point - 1mb of chars does the trick.
Comment 1 Pete Fritchman freebsd_committer freebsd_triage 2001-11-01 02:18:19 UTC 
Responsible Changed
From-To: freebsd-ports->ache

over to maintainer
Comment 2 Andrey A. Chernov freebsd_committer freebsd_triage 2001-11-16 21:51:06 UTC 
State Changed
From-To: open->closed

Commited