[procmail] Added crash-fixes patch

Thu Mar 19 09:52:47 UTC 2015

commit 7415631c789ed6d788185c2a8a4c634a2b1105d2
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date:   Thu Mar 19 10:51:00 2015 +0100

    Added crash-fixes patch
    
    Signed-off-by: Jaroslav Škarvada <jskarvad at redhat.com>

 procmail-3.22-crash-fix.patch | 48 +++++++++++++++++++++++++++++++++++++++++++
 procmail.spec                 |  2 +-
 2 files changed, 49 insertions(+), 1 deletion(-)
---

diff --git a/procmail-3.22-crash-fix.patch b/procmail-3.22-crash-fix.patch
new file mode 100644
index 0000000..b393d8b
--- /dev/null
+++ b/procmail-3.22-crash-fix.patch
@@ -0,0 +1,48 @@
+From: Tero Marttila <terom at fixme.fi>
+Subject: Fix off-by-one error that makes procmail to segfault on certain .procmailrc files
+
+--- a/src/cstdio.c
++++ b/src/cstdio.c
+@@ -144,7 +144,7 @@
+       { case '\n':case EOF:*q='\0';
+ 	   return overflow?-1:p!=q;	     /* did we read anything at all? */
+       }
+-     if(q==end)	    /* check here so that a trailing backslash won't be lost */
++     if(q>=end)	    /* check here so that a trailing backslash won't be lost */
+ 	q=p,overflow=1;
+      *q++=i;
+    }
+@@ -199,7 +199,7 @@
+ 	   if(*(target=strchr(target,'\0')-1)=='\\')
+ 	    { if(chp2!=target)				  /* non-empty line? */
+ 		 target++;		      /* then preserve the backslash */
+-	      if(target>end-2)			  /* space enough for getbl? */
++	      if(target>=end-2)			  /* space enough for getbl? */
+ 		 target=end-linebuf,overflow=1;		/* toss what we have */
+ 	      continue;
+ 	    }
+From: Jan Darmochwal <jdarmochwal at gmx.de>
+Subject: formail memory corruption fixes
+
+--- a/src/formail.c
++++ b/src/formail.c
+@@ -219,7 +219,7 @@
+   if(i>=0&&(i!=maxindex(sest)||fldp==rdheader))		  /* found anything? */
+    { char*saddr;char*tmp;			     /* determine the weight */
+      nowm=areply&&headreply?headreply==1?sest[i].wrepl:sest[i].wrrepl:i;chp+=j;
+-     tmp=malloc(j=fldp->Tot_len-j);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0';
++     tmp=malloc((j=fldp->Tot_len-j) + 1);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0';
+      if(sest[i].head==From_)
+       { char*pastad;
+ 	if(strchr(saddr=chp,'\n'))		     /* multiple From_ lines */
+--- a/src/formisc.c
++++ b/src/formisc.c
+@@ -66,7 +66,7 @@
+ retz:	      *target='\0';
+ ret:	      return start;
+ 	    }
+-	   if(*start=='\\')
++	   if(*start=='\\' && *(start + 1))
+ 	      *target++='\\',start++;
+ 	   hitspc=2;
+ 	   goto normal;					      /* normal word */
diff --git a/procmail.spec b/procmail.spec
index 06756d7..588569e 100644
--- a/procmail.spec
+++ b/procmail.spec
@@ -82,7 +82,7 @@ rm -rf ${RPM_BUILD_ROOT}
 
 %changelog
 * Thu Mar 19 2015 Jaroslav Škarvada <jskarvad at redhat.com> - 3.22-37
-- Fixed more buffer overflows and memory corruptions
+- Fixed more buffer overflows and memory corruptions (by crash-fix patch)
 
 * Thu Sep  4 2014 Jaroslav Škarvada <jskarvad at redhat.com> - 3.22-36
 - Fixed buffer overflow in formail
