From: David Edmondson <dme@dme.org>
Date: Wed, 28 Apr 2010 10:45:41 +0000 (+0100)
Subject: notmuch: Fix off-by-one errors if a header is >200 characters long.
X-Git-Tag: 0.4~145
X-Git-Url: https://git.notmuchmail.org/git?p=notmuch;a=commitdiff_plain;h=1671eaecdb69133bc88fd212c77b68122fa27600

notmuch: Fix off-by-one errors if a header is >200 characters long.

If a single header is more than 200 characters long a set of 'off by
one' errors cause memory corruption.

When allocating memory with:
     a = malloc (len);
the last usable byte of the memory is 'a + len - 1' rather than 'a +
len'.

Fix the same bug when calculating the current offset should the buffer
used for collecting the output header need to be reallocated.
---

diff --git a/gmime-filter-headers.c b/gmime-filter-headers.c
index 2f3df801..7db3779b 100644
--- a/gmime-filter-headers.c
+++ b/gmime-filter-headers.c
@@ -169,7 +169,7 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace,
 		headers->lineptr = headers->line = malloc (headers->line_size);
 	}
 	lineptr = headers->lineptr;
-	lineend = headers->line + headers->line_size;
+	lineend = headers->line + headers->line_size - 1;
 	if (lineptr == NULL)
 		return;
 	outptr = filter->outbuf;
@@ -185,8 +185,8 @@ filter_filter (GMimeFilter *filter, char *inbuf, size_t inlen, size_t prespace,
 		if (lineptr == lineend) {
 			headers->line_size *= 2;
 			headers->line = xrealloc (headers->line, headers->line_size);
-			lineptr = headers->line + headers->line_size / 2;
-			lineend = headers->line + headers->line_size;
+			lineptr = headers->line + (headers->line_size / 2) - 1;
+			lineend = headers->line + headers->line_size - 1;
 		}
 
 		if (headers->saw_nl && *inptr != ' ' && *inptr != '\t') {