diff options
author | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2005-03-04 07:05:52 +0000 |
---|---|---|
committer | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2005-03-04 07:05:52 +0000 |
commit | bdcba0877a6b870e40dcca384ef08be78fd0e74e (patch) | |
tree | c65bebfd067e3aaea7f9614443670b3ddee0b543 | |
parent | a80cf7559e18da4e89fae15c2ff10966b1983ffa (diff) |
fixed a buffer overflow bug.
git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@145 ee746299-78ed-0310-b773-934348b2243d
-rw-r--r-- | ChangeLog | 12 | ||||
-rw-r--r-- | ChangeLog.ja | 11 | ||||
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | src/codeconv.c | 56 | ||||
-rw-r--r-- | src/codeconv.h | 7 | ||||
-rw-r--r-- | src/compose.c | 23 | ||||
-rw-r--r-- | src/news.c | 9 | ||||
-rw-r--r-- | src/procheader.c | 33 | ||||
-rw-r--r-- | src/procmime.c | 21 |
9 files changed, 82 insertions, 92 deletions
@@ -1,3 +1,15 @@ +2005-03-04 + + * src/codeconv.[ch]: removed conv_unmime_header_overwrite() because + it had introduced heap buffer overflow. + conv_unmime_header(): modified so that it returns newly-allocated + string. + * src/compose.c: compose_parse_header(): don't use + conv_unmime_header_overwrite() which introduced buffer overflow. + * src/procheader.c + src/news.c + src/procmime.c: followed the API change. + 2005-03-03 * use Content-Type's charset as a fallback encoding of broken header diff --git a/ChangeLog.ja b/ChangeLog.ja index fc631c83..0ad7df39 100644 --- a/ChangeLog.ja +++ b/ChangeLog.ja @@ -1,3 +1,14 @@ +2005-03-04 + + * src/codeconv.[ch]: ヒープのバッファオーバーフローを起こしていた + conv_unmime_header_overwrite() を削除。 + conv_unmime_header(): 新たに確保された文字列を返すように修正。 + * src/compose.c: compose_parse_header(): バッファオーバーフローを + 起こす conv_unmime_header_overwrite() を使用しないようにした。 + * src/procheader.c + src/news.c + src/procmime.c: API の変更に追従。 + 2005-03-03 * 不正なヘッダ文字列のフォールバックエンコーディングとして diff --git a/configure.in b/configure.in index 5b5e7ee2..c3f9ada9 100644 --- a/configure.in +++ b/configure.in @@ -9,7 +9,7 @@ MINOR_VERSION=9 MICRO_VERSION=4 INTERFACE_AGE=0 BINARY_AGE=0 -EXTRA_VERSION= +EXTRA_VERSION=+svn VERSION=$MAJOR_VERSION.$MINOR_VERSION.$MICRO_VERSION$EXTRA_VERSION dnl set $target diff --git a/src/codeconv.c b/src/codeconv.c index 36e158c0..0d494919 100644 --- a/src/codeconv.c +++ b/src/codeconv.c @@ -1541,54 +1541,46 @@ const gchar *conv_get_current_locale(void) return cur_locale; } -void conv_unmime_header_overwrite(gchar *str) -{ - gchar *buf; - gint buflen; - - buflen = strlen(str) * 2 + 1; - Xalloca(buf, buflen, return); - - if (conv_get_locale_charset() == C_EUC_JP) - conv_anytodisp(buf, buflen, str); - else - conv_localetodisp(buf, buflen, str); - - unmime_header(str, buf); -} - -void conv_unmime_header(gchar *outbuf, gint outlen, const gchar *str, - const gchar *default_encoding) +gchar *conv_unmime_header(const gchar *str, const gchar *default_encoding) { gchar *buf; gint buflen; + gchar *utf8_buf; if (is_ascii_str(str)) { - unmime_header(outbuf, str); - return; + buflen = strlen(str) * 6 + 1; + Xalloca(buf, buflen, return NULL); + unmime_header(buf, str); + return g_strdup(buf); } if (default_encoding) { - gchar *utf8_str; - - utf8_str = conv_codeset_strdup + utf8_buf = conv_codeset_strdup (str, default_encoding, CS_INTERNAL); - if (utf8_str) { - unmime_header(outbuf, utf8_str); - g_free(utf8_str); - return; + if (utf8_buf) { + buflen = strlen(utf8_buf) * 6 + 1; + Xalloca(buf, buflen, + { g_free(utf8_buf); return NULL; }); + unmime_header(buf, utf8_buf); + g_free(utf8_buf); + return g_strdup(buf); } } - buflen = strlen(str) * 2 + 1; - Xalloca(buf, buflen, return); + buflen = strlen(str) * 6 + 1; + Xalloca(utf8_buf, buflen, return NULL); if (conv_get_locale_charset() == C_EUC_JP) - conv_anytodisp(buf, buflen, str); + conv_anytodisp(utf8_buf, buflen, str); else - conv_localetodisp(buf, buflen, str); + conv_localetodisp(utf8_buf, buflen, str); + + buflen = strlen(utf8_buf) * 6 + 1; + Xalloca(buf, buflen, return NULL); + + unmime_header(buf, utf8_buf); - unmime_header(outbuf, buf); + return g_strdup(buf); } #define MAX_LINELEN 76 diff --git a/src/codeconv.h b/src/codeconv.h index 89155d7a..e2b3edda 100644 --- a/src/codeconv.h +++ b/src/codeconv.h @@ -209,11 +209,8 @@ gboolean conv_is_multibyte_encoding (CharSet encoding); const gchar *conv_get_current_locale (void); -void conv_unmime_header_overwrite (gchar *str); -void conv_unmime_header (gchar *outbuf, - gint outlen, - const gchar *str, - const gchar *charset); +gchar *conv_unmime_header (const gchar *str, + const gchar *default_encoding); void conv_encode_header (gchar *dest, gint len, const gchar *src, diff --git a/src/compose.c b/src/compose.c index eeed9483..f86d3274 100644 --- a/src/compose.c +++ b/src/compose.c @@ -1164,13 +1164,14 @@ static gint compose_parse_header(Compose *compose, MsgInfo *msginfo) fclose(fp); if (hentry[H_REPLY_TO].body != NULL) { - conv_unmime_header_overwrite(hentry[H_REPLY_TO].body); - compose->replyto = hentry[H_REPLY_TO].body; + compose->replyto = + conv_unmime_header(hentry[H_REPLY_TO].body, NULL); + g_free(hentry[H_REPLY_TO].body); hentry[H_REPLY_TO].body = NULL; } if (hentry[H_CC].body != NULL) { - conv_unmime_header_overwrite(hentry[H_CC].body); - compose->cc = hentry[H_CC].body; + compose->cc = conv_unmime_header(hentry[H_CC].body, NULL); + g_free(hentry[H_CC].body); hentry[H_CC].body = NULL; } if (hentry[H_REFERENCES].body != NULL) { @@ -1184,11 +1185,10 @@ static gint compose_parse_header(Compose *compose, MsgInfo *msginfo) hentry[H_REFERENCES].body = NULL; } if (hentry[H_BCC].body != NULL) { - if (compose->mode == COMPOSE_REEDIT) { - conv_unmime_header_overwrite(hentry[H_BCC].body); - compose->bcc = hentry[H_BCC].body; - } else - g_free(hentry[H_BCC].body); + if (compose->mode == COMPOSE_REEDIT) + compose->bcc = + conv_unmime_header(hentry[H_BCC].body, NULL); + g_free(hentry[H_BCC].body); hentry[H_BCC].body = NULL; } if (hentry[H_NEWSGROUPS].body != NULL) { @@ -1196,8 +1196,9 @@ static gint compose_parse_header(Compose *compose, MsgInfo *msginfo) hentry[H_NEWSGROUPS].body = NULL; } if (hentry[H_FOLLOWUP_TO].body != NULL) { - conv_unmime_header_overwrite(hentry[H_FOLLOWUP_TO].body); - compose->followup_to = hentry[H_FOLLOWUP_TO].body; + compose->followup_to = + conv_unmime_header(hentry[H_FOLLOWUP_TO].body, NULL); + g_free(hentry[H_FOLLOWUP_TO].body); hentry[H_FOLLOWUP_TO].body = NULL; } if (hentry[H_LIST_POST].body != NULL) { @@ -911,7 +911,6 @@ static GSList *news_get_uncached_articles(NNTPSession *session, static MsgInfo *news_parse_xover(const gchar *xover_str) { MsgInfo *msginfo; - gchar buf[NNTPBUFSIZE]; gchar *subject, *sender, *size, *line, *date, *msgid, *ref, *tmp; gchar *p; gint num, size_int, line_int; @@ -944,12 +943,10 @@ static MsgInfo *news_parse_xover(const gchar *xover_str) msginfo->date = g_strdup(date); msginfo->date_t = procheader_date_parse(NULL, date, 0); - conv_unmime_header(buf, sizeof(buf), sender, NULL); - msginfo->from = g_strdup(buf); - msginfo->fromname = procheader_get_fromname(buf); + msginfo->from = conv_unmime_header(sender, NULL); + msginfo->fromname = procheader_get_fromname(msginfo->from); - conv_unmime_header(buf, sizeof(buf), subject, NULL); - msginfo->subject = g_strdup(buf); + msginfo->subject = conv_unmime_header(subject, NULL); extract_parenthesis(msgid, '<', '>'); remove_space(msgid); diff --git a/src/procheader.c b/src/procheader.c index e76ad802..99acdd79 100644 --- a/src/procheader.c +++ b/src/procheader.c @@ -225,7 +225,7 @@ GSList *procheader_get_header_list_from_file(const gchar *file) GSList *procheader_get_header_list(FILE *fp) { - gchar buf[BUFFSIZE], tmp[BUFFSIZE]; + gchar buf[BUFFSIZE]; gchar *p; GSList *hlist = NULL; Header *header; @@ -240,8 +240,7 @@ GSList *procheader_get_header_list(FILE *fp) header->name = g_strndup(buf, p - buf); p++; while (*p == ' ' || *p == '\t') p++; - conv_unmime_header(tmp, sizeof(tmp), p, NULL); - header->body = g_strdup(tmp); + header->body = conv_unmime_header(p, NULL); hlist = g_slist_append(hlist, header); break; @@ -298,7 +297,7 @@ gint procheader_find_header_list(GSList *hlist, const gchar *header_name) GPtrArray *procheader_get_header_array(FILE *fp, const gchar *encoding) { - gchar buf[BUFFSIZE], tmp[BUFFSIZE]; + gchar buf[BUFFSIZE]; gchar *p; GPtrArray *headers; Header *header; @@ -315,9 +314,7 @@ GPtrArray *procheader_get_header_array(FILE *fp, const gchar *encoding) header->name = g_strndup(buf, p - buf); p++; while (*p == ' ' || *p == '\t') p++; - conv_unmime_header(tmp, sizeof(tmp), p, - encoding); - header->body = g_strdup(tmp); + header->body = conv_unmime_header(p, encoding); g_ptr_array_add(headers, header); break; @@ -330,7 +327,7 @@ GPtrArray *procheader_get_header_array(FILE *fp, const gchar *encoding) GPtrArray *procheader_get_header_array_asis(FILE *fp, const gchar *encoding) { - gchar buf[BUFFSIZE], tmp[BUFFSIZE]; + gchar buf[BUFFSIZE]; gchar *p; GPtrArray *headers; Header *header; @@ -346,9 +343,7 @@ GPtrArray *procheader_get_header_array_asis(FILE *fp, const gchar *encoding) header = g_new(Header, 1); header->name = g_strndup(buf, p - buf); p++; - conv_unmime_header(tmp, sizeof(tmp), p, - encoding); - header->body = g_strdup(tmp); + header->body = conv_unmime_header(p, encoding); g_ptr_array_add(headers, header); break; @@ -507,7 +502,7 @@ MsgInfo *procheader_parse_stream(FILE *fp, MsgFlags flags, gboolean full) {NULL, NULL, FALSE}}; MsgInfo *msginfo; - gchar buf[BUFFSIZE], tmp[BUFFSIZE]; + gchar buf[BUFFSIZE]; gchar *reference = NULL; gchar *p; gchar *hp; @@ -614,24 +609,20 @@ MsgInfo *procheader_parse_stream(FILE *fp, MsgFlags flags, gboolean full) } if (from) { - conv_unmime_header(tmp, sizeof(tmp), from, charset); - msginfo->from = g_strdup(tmp); - msginfo->fromname = procheader_get_fromname(tmp); + msginfo->from = conv_unmime_header(from, charset); + msginfo->fromname = procheader_get_fromname(msginfo->from); g_free(from); } if (to) { - conv_unmime_header(tmp, sizeof(tmp), to, charset); - msginfo->to = g_strdup(tmp); + msginfo->to = conv_unmime_header(to, charset); g_free(to); } if (subject) { - conv_unmime_header(tmp, sizeof(tmp), subject, charset); - msginfo->subject = g_strdup(tmp); + msginfo->subject = conv_unmime_header(subject, charset); g_free(subject); } if (cc) { - conv_unmime_header(tmp, sizeof(tmp), cc, charset); - msginfo->cc = g_strdup(tmp); + msginfo->cc = conv_unmime_header(cc, charset); g_free(cc); } diff --git a/src/procmime.c b/src/procmime.c index 39e5fde9..2a527774 100644 --- a/src/procmime.c +++ b/src/procmime.c @@ -403,15 +403,9 @@ void procmime_scan_content_type_str(const gchar *content_type, if (*value) { if (charset && !g_strcasecmp(attr, "charset")) *charset = g_strdup(value); - else if (name && !g_strcasecmp(attr, "name")) { - gchar *tmp; - size_t len; - - len = strlen(value) + 1; - Xalloca(tmp, len, return); - conv_unmime_header(tmp, len, value, NULL); - *name = g_strdup(tmp); - } else if (boundary && !g_strcasecmp(attr, "boundary")) + else if (name && !g_strcasecmp(attr, "name")) + *name = conv_unmime_header(value, NULL); + else if (boundary && !g_strcasecmp(attr, "boundary")) *boundary = g_strdup(value); } @@ -457,14 +451,9 @@ void procmime_scan_content_disposition(MimeInfo *mimeinfo, if (*value) { if (!strcasecmp(attr, "filename")) { - gchar *tmp; - size_t len; - - len = strlen(value) + 1; - Xalloca(tmp, len, return); - conv_unmime_header(tmp, len, value, NULL); g_free(mimeinfo->filename); - mimeinfo->filename = g_strdup(tmp); + mimeinfo->filename = + conv_unmime_header(value, NULL); break; } } |