From: Junio C Hamano <junkio@pobox.com>
To: Alex Riesen <raa.lkml@gmail.com>
Cc: Timo Sirainen <tss@iki.fi>, git@vger.kernel.org
Subject: Re: [PATCH] Temporary fix for stack smashing in mailinfo
Date: Thu, 30 Aug 2007 15:53:06 -0700 [thread overview]
Message-ID: <7vir6w7hyl.fsf@gitster.siamese.dyndns.org> (raw)
In-Reply-To: <20070830214824.GC15405@steel.home> (Alex Riesen's message of "Thu, 30 Aug 2007 23:48:24 +0200")
Alex Riesen <raa.lkml@gmail.com> writes:
> Junio, I cannot have time to fix the code nice and proper, but as
> heavy user of git-am just have to have it fixed at least a like this.
> And this is ugly (and definitely incomplete), everyone be warned.
>
> Checked with valgrind, looks good (except for iconv_open reading past
> one of its arguments):
On the top of your patch, I think decode_header_bq() needs to
make sure that a string with more than one pieces, each of which
decodes well within piecebuf, cannot overflow outbuf[] in the
while loop.
> @@ -578,56 +588,56 @@ static int decode_header_bq(char *it)
> default:
> return rfc2047; /* no munging */
> case 'b':
> - sz = decode_b_segment(cp + 3, piecebuf, ep);
> + sz = decode_b_segment(cp + 3, piecebuf, sizeof(piecebuf), ep);
> break;
> case 'q':
> - sz = decode_q_segment(cp + 3, piecebuf, ep, 1);
> + sz = decode_q_segment(cp + 3, piecebuf, sizeof(piecebuf), ep, 1);
> break;
> }
> if (sz < 0)
> return rfc2047;
> if (metainfo_charset)
> - convert_to_utf8(piecebuf, charset_q);
> + convert_to_utf8(piecebuf, sizeof(piecebuf), charset_q);
> strcpy(out, piecebuf);
> out += strlen(out);
> in = ep + 2;
> }
It might also make sense to redo the lower level decoding
functions using existing strbuf interface to build string
without pre-set bounds.
prev parent reply other threads:[~2007-08-30 22:53 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-30 19:26 Buffer overflows Timo Sirainen
2007-08-30 20:26 ` Lukas Sandström
2007-08-30 20:46 ` Linus Torvalds
2007-08-30 21:08 ` Timo Sirainen
2007-08-30 21:35 ` Reece Dunn
2007-08-30 21:51 ` Timo Sirainen
2007-08-30 22:34 ` Reece Dunn
2007-08-31 10:52 ` Wincent Colaiuta
2007-08-31 12:48 ` Simon 'corecode' Schubert
2007-08-30 22:14 ` Junio C Hamano
2007-08-30 22:36 ` Pierre Habouzit
2007-08-30 22:41 ` Timo Sirainen
2007-09-02 13:42 ` Johan Herland
2007-09-02 15:11 ` Reece Dunn
2007-09-02 15:19 ` David Kastrup
2007-09-02 15:35 ` Reece Dunn
2007-09-03 0:19 ` Jakub Narebski
2007-09-03 0:31 ` Junio C Hamano
2007-09-02 17:17 ` René Scharfe
2007-09-02 17:39 ` Lukas Sandström
2007-08-31 4:09 ` Linus Torvalds
2007-08-31 5:00 ` Timo Sirainen
2007-08-31 9:53 ` Andreas Ericsson
2007-08-31 10:06 ` Johannes Schindelin
2007-08-30 21:48 ` [PATCH] Temporary fix for stack smashing in mailinfo Alex Riesen
2007-08-30 22:53 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vir6w7hyl.fsf@gitster.siamese.dyndns.org \
--to=junkio@pobox.com \
--cc=git@vger.kernel.org \
--cc=raa.lkml@gmail.com \
--cc=tss@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).