Spamprobe segfaults on bad mime input
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
spamprobe (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: spamprobe
In version 1.2a-1 from Ubuntu (and vanilla 1.2a) spamprobe can segfault on certain Mime input.
The bug is in MimeDecoder.cc, around line 88:
unsigned int index = (unsigned)ch;
if (BASE64_
ch is a signed char. If ch is negative, the (unsigned) cast will first zero-extend the negative char to a negative int, and thereafter treat it as unsigned, causing 'index' to be a very very large integer. BASE64_CHARS only holds 256 entries and using 'index' as index in this array causes the segfault.
The proper fix is to write:
unsigned int index = (unsigned char)ch;
if (BASE64_
This completely fixes the problem.
Please note that spamprobe version 1.4 contains another fix for this problem which, in my oppinion, is overly convoluted and only fixes the real problem "by accident". I would recommend that the simple solution above is added to the Ubuntu 1.2a spamprobe package.
Thanks for this report, and your proposed fix.
Version 1.4 of spamprobe is in edgy and feisty. If you feel this vitally needs to be fixed in Dapper you can try requesting a backport by following the process at https:/ /help.ubuntu. com/community/ UbuntuBackports, to get version 1.4 backported to Dapper. However, I'm not sure this would meet the criterial laid out there.
If you'd like to change the 1.4 code to use your fix, you'll need to raise the issue with the upstream developers.