Menu

#113 bogofilter: yyinput result may exceed max_size

v1.0_(example)
closed-out-of-date
Matthias Andree
None
5
2020-04-30
2010-09-20
Tomas Hoger
No

While reviewing this old flex bug:

https://sourceforge.net/tracker/?func=detail&aid=1601111&group_id=97492&atid=618177

I've noticed that bogofilter's custom yyinput method returns unexpected result for the input file attached in the flex bug, as it returns result exceeding max_size limit passed to it. It does not seem to write out of bounds of the provided buffer, though incorrect result seems to have been causing flex to write out of bounds. I've not checked whether the extra buffer resize added to flex in response to the original bug is sufficient in all cases to avoid out of bounds write.

As noted in the referenced bug, issue can be reproduced with current bogofilter 1.2.2.

Discussion

  • Matthias Andree

    Matthias Andree - 2013-11-11
    • assigned_to: Matthias Andree
    • Group: --> v1.0_(example)
     

  • Matthias Andree

    Matthias Andree - 2020-04-30
    • status: open --> closed-out-of-date
     

  • Matthias Andree

    Matthias Andree - 2020-04-30

    I think this is similar to #116 - unfortunately, the URL to the flex bug is now defunct, but I believe this bug was fixed with

    commit cd33fc00802a75fe7b3b8a967bf879f7bc33c320 (refs/bisect/bad)
    Author: Matthias Andree matthias.andree@gmx.de
    Date: Sat Feb 28 20:25:42 2015 +0000

    Fix realloc() aborts on t.passthrough-truncation.

Reported for Fedora 21 by Matt Garretson.
     

Log in to post a comment.