bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

some code issues


From: Nico Golde
Subject: some code issues
Date: Sat, 5 Jan 2008 18:59:08 +0100

Hi,
I had a quick look at the pop.c code today and found some 
issues.

In pop_stat:

365   if (strncmp (fromserver, "+OK ", 4))
366     {
367       if (0 == strncmp (fromserver, "-ERR", 4))
368    {
369      strncpy (pop_error, fromserver, ERROR_MAX);
370    }
371      else
372    {
373      strcpy (pop_error,
374    >···  "Unexpected response from POP server in pop_stat");
375      pop_trash (server);
376    }
377       return (-1);
378     }

380   *count = atoi (&fromserver[4]);
381 
382   fromserver = index (&fromserver[4], ' ');
383   if (! fromserver)
384     {
385       strcpy (pop_error,
386 >···      "Badly formatted response from server in pop_stat");
387       pop_trash (server);
388       return (-1);
389     }

If I don't miss anything the atoi call in 380 is not save as it is not 
save because it is not ensure that &fromserver[4] is not NULL. A crafted
pop3 server could thus crash emacs. This is of course not a real issue but
wouldn't be nice. Same for the pop_last function.

In pop_list:

440 
441   *IDs = (int *) malloc ((how_many + 1) * sizeof (int));
442   *sizes = (int *) malloc ((how_many + 1) * sizeof (int));
443   if (! (*IDs && *sizes))
444     {
445       strcpy (pop_error, "Out of memory in pop_list");
446       return (-1);
447     }
448 

in 441 and 442 there should be some check for how_many to prevent an integer
overflow here.
Same problem for the xnew macro in etags.c

What do you think about this?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - address@hidden - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp0LqWhecwn5.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]