little bugs in libmutt/lib.c



	Hi all,
other small bugs in libmutt/lib.c (patch attached) :
- Line 1085 : possible buffer overflow : if count=sizeof(prefix) then 
*cp=0 writes after prefix buffer
- Line 1102 : same thing for ifstring
- Line 1114 : 	"	"	"
- Line 1336 : handle case l<6, l-6 would be negative but of type size_t 
(is that a real problem?)
Bye
Manu
--- lib.c	Tue Feb 13 10:31:05 2001
+++ lib.c.corr	Mon Jun 18 10:28:52 2001
@@ -207,7 +207,7 @@
 {
   for (; t; t = t->next)
   {
-    if (!mutt_strncasecmp (s, t->data, mutt_strlen (t->data)) || *t->data == '*')
+    if (*t->data == '*' || !mutt_strncasecmp (s, t->data, mutt_strlen (t->data)))
       return 1;
   }
   return 0;
@@ -902,8 +902,9 @@
 {
   char *p;
 
-  for (p = s + mutt_strlen (s) - 1 ; p >= s && ISSPACE (*p) ; p--)
-    *p = 0;
+  for (p = s + mutt_strlen (s) - 1 ; p >= s && ISSPACE (*p) ; p--);
+  if (p>=s) *(p+1)=0;
+  else *s=0;
 }
 
 void mutt_pretty_size (char *s, size_t len, long n)
@@ -1075,7 +1076,7 @@
 	/* eat the format string */
 	cp = prefix;
 	count = 0;
-	while (count < sizeof (prefix) &&
+	while (count < sizeof (prefix)-1 &&
 	       (isdigit ((unsigned char) *src) || *src == '.' || *src == '-'))
 	{
 	  *cp++ = *src++;
@@ -1098,7 +1099,7 @@
         /* eat the `if' part of the string */
         cp = ifstring;
 	count = 0;
-        while (count < sizeof (ifstring) && *src && *src != '?' && *src != '&')
+        while (count < sizeof (ifstring)-1 && *src && *src != '?' && *src != '&')
 	{
           *cp++ = *src++;
 	  count++;
@@ -1110,7 +1111,7 @@
 	  src++; /* skip the & */
 	cp = elsestring;
 	count = 0;
-	while (count < sizeof (elsestring) && *src && *src != '?')
+	while (count < sizeof (elsestring)-1 && *src && *src != '?')
 	{
 	  *cp++ = *src++;
 	  count++;
@@ -1331,7 +1332,8 @@
   }
 
   /* leave some space for the trailing characters. */
-  l -= 6;
+  if (l>=6) l -= 6;
+  else l=0;
   
   d[j++] = '\'';
   


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]