From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Nico Golde <nico@ngolde.de>
Newsgroups: gmane.emacs.bugs
Subject: some code issues
Date: Sat, 5 Jan 2008 18:59:08 +0100
Message-ID: <20080105175908.GA31673@ngolde.de>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
X-Trace: ger.gmane.org 1199630849 25104 80.91.229.12 (6 Jan 2008 14:47:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 6 Jan 2008 14:47:29 +0000 (UTC)
To: bug-gnu-emacs@gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jan 06 15:47:49 2008
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1JBWmy-0007oH-Tf
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 06 Jan 2008 15:47:49 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1JBWmb-0007nU-U7
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 06 Jan 2008 09:47:25 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JBDIR-0002ul-OV
	for bug-gnu-emacs@gnu.org; Sat, 05 Jan 2008 12:58:59 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JBDIR-0002uZ-55
	for bug-gnu-emacs@gnu.org; Sat, 05 Jan 2008 12:58:59 -0500
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JBDIQ-0002uW-W8
	for bug-gnu-emacs@gnu.org; Sat, 05 Jan 2008 12:58:59 -0500
Original-Received: from mo-p00-ob.rzone.de ([81.169.146.160])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <nico@ngolde.de>) id 1JBDIQ-0002dv-OM
	for bug-gnu-emacs@gnu.org; Sat, 05 Jan 2008 12:58:58 -0500
X-RZG-CLASS-ID: mo00
X-RZG-AUTH: hvKiKtSHbeE0ghP2VIXOfz9FbKPIjAFDNRMtknfPuvqS60u3mcM0I3LI0qlabjg=
Original-Received: from ngolde.de (e179037172.adsl.alicedsl.de [85.179.37.172])
	by post.webmailer.de (fruni mo6) (RZmta 15.0)
	with ESMTP id z03a47k05EfMpF for <bug-gnu-emacs@gnu.org>;
	Sat, 5 Jan 2008 18:58:56 +0100 (MET)
	(envelope-from: <nico@ngolde.de>)
Original-Received: by ngolde.de (Postfix, from userid 1000)
	id BF8AE3EE5B; Sat,  5 Jan 2008 18:59:08 +0100 (CET)
Content-Disposition: inline
X-Mailer: netcat 1.10
X-GPG: 0x73647cff
X-detected-kernel: by monty-python.gnu.org: Solaris 10 (beta)
X-Mailman-Approved-At: Sun, 06 Jan 2008 09:47:19 -0500
X-BeenThere: bug-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:17315
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/17315>


--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,
I had a quick look at the pop.c code today and found some=20
issues.

In pop_stat:

365   if (strncmp (fromserver, "+OK ", 4))
366     {
367       if (0 =3D=3D strncmp (fromserver, "-ERR", 4))
368    {
369      strncpy (pop_error, fromserver, ERROR_MAX);
370    }
371      else
372    {
373      strcpy (pop_error,
374    >=B7=B7=B7  "Unexpected response from POP server in pop_stat");
375      pop_trash (server);
376    }
377       return (-1);
378     }

380   *count =3D atoi (&fromserver[4]);
381=20
382   fromserver =3D index (&fromserver[4], ' ');
383   if (! fromserver)
384     {
385       strcpy (pop_error,
386 >=B7=B7=B7      "Badly formatted response from server in pop_stat");
387       pop_trash (server);
388       return (-1);
389     }

If I don't miss anything the atoi call in 380 is not save as it is not=20
save because it is not ensure that &fromserver[4] is not NULL. A crafted
pop3 server could thus crash emacs. This is of course not a real issue but
wouldn't be nice. Same for the pop_last function.

In pop_list:

440=20
441   *IDs =3D (int *) malloc ((how_many + 1) * sizeof (int));
442   *sizes =3D (int *) malloc ((how_many + 1) * sizeof (int));
443   if (! (*IDs && *sizes))
444     {
445       strcpy (pop_error, "Out of memory in pop_list");
446       return (-1);
447     }
448=20

in 441 and 442 there should be some check for how_many to prevent an integer
overflow here.
Same problem for the xnew macro in etags.c

What do you think about this?
Kind regards
Nico
--=20
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHf8VsHYflSXNkfP8RAtaHAJ9j0CV6prPJ2LCyKdnDvBSLK37R1QCdHQb0
0AfXr+0Yw3F8LR66YGhKOUw=
=tDA3
-----END PGP SIGNATURE-----

--HlL+5n6rz5pIUxbD--