mail_fetch_body() may return empty string without updating len parameter
Bug #617876 reported by
Volodymyr Kolesnykov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| uw-imap (Debian) |
Fix Released
|
Unknown
|
|||
| uw-imap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
See Bug #617849 where this behavior crashes PHP.
In brief, when mail_fetch_body() is passed very long section (strlen(section) > 1004), mail_fetch_body() returns an empty string but does not set len parameter to zero. If the calling application has not set len to zero before calling mail_fetch_body(), it will likely to crash because len parameter will contain garbage.
$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
$ LC_ALL=C apt-cache policy libc-client2007e
libc-client2007e:
Installed: 8:2007e~dfsg-3.1
Candidate: 8:2007e~dfsg-3.1
Version table:
8:
500 http://
*** 8:2007e~dfsg-3.1 0
100 /var/lib/
Related branches
Revision history for this message
| Volodymyr Kolesnykov (sjinks) wrote | #1 |
| tags: | added: patch |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in uw-imap (Ubuntu): | |
| status: | New → Fix Released |
| tags: |
added: patch-forwarded-debian removed: patch |
| Changed in uw-imap (Debian): | |
| status: | Unknown → New |
| Changed in uw-imap (Debian): | |
| status: | New → Fix Released |
To post a comment you must log in.
Patch against src/c-client/mail.c that solves the problem.