1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From: Kevin McCarthy <kevin@8t8.us>
Date: Mon, 3 May 2021 13:11:30 -0700
Subject: Fix seqset iterator when it ends in a comma.
Origin: https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
Bug-Debian: https://bugs.debian.org/988106
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32055
If the seqset ended with a comma, the substr_end marker would be just
before the trailing nul. In the next call, the loop to skip the
marker would iterate right past the end of string too.
The fix is simple: place the substr_end marker and skip past it
immediately.
---
imap/util.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/imap/util.c b/imap/util.c
index c529fd8fba3c..488e8396d269 100644
--- a/imap/util.c
+++ b/imap/util.c
@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, unsigned int *next)
if (iter->substr_cur == iter->eostr)
return 1;
- while (!*(iter->substr_cur))
- iter->substr_cur++;
iter->substr_end = strchr (iter->substr_cur, ',');
if (!iter->substr_end)
iter->substr_end = iter->eostr;
else
- *(iter->substr_end) = '\0';
+ *(iter->substr_end++) = '\0';
range_sep = strchr (iter->substr_cur, ':');
if (range_sep)
--
2.32.0.rc0
|
