diff -r 626cd5190109 lib.c --- a/lib.c Wed May 01 23:24:11 2002 +0000 +++ b/lib.c Mon May 29 17:19:37 2006 +0900 @@ -219,6 +219,7 @@ char *safe_strdup (const char *s) return (p); } +/* strlcat with overflow detection */ char *safe_strcat (char *d, size_t l, const char *s) { char *p = d; @@ -234,6 +235,44 @@ char *safe_strcat (char *d, size_t l, co *d++ = *s++; *d = '\0'; + if (*s && !l) + { + mutt_error (_("String is truncated. Be careful!")); +#ifdef DEBUG + if (debuglevel > 2) + abort (); +#endif + sleep (1); + return NULL; + } + + return p; +} + +/* silently truncates strings - but returns NULL if truncated */ +char *strfcat (char *d, size_t l, const char *s) +{ + char *p = d; + + if (!l) + return d; + + l--; /* Space for the trailing '\0'. */ + + for (; *d && l; l--) + d++; + for (; *s && l; l--) + *d++ = *s++; + + *d = '\0'; + + if (*s && !l) + { +#ifdef DEBUG + if (debuglevel >= 1) fprintf (debugfile, "strfcat: truncation occurred.\n")); +#endif + return NULL; + } return p; } @@ -768,7 +807,11 @@ char *mutt_concat_path (char *d, const c if (!*fname || (*dir && dir[strlen(dir)-1] == '/')) fmt = "%s%s"; - snprintf (d, l, fmt, dir, fname); + if (snprintf (d, l, fmt, dir, fname) >= l) + { + mutt_error (_("Path too long: truncated.")); + sleep (1); + } return d; } diff -r 626cd5190109 lib.h --- a/lib.h Wed May 01 23:24:11 2002 +0000 +++ b/lib.h Mon May 29 17:19:37 2006 +0900 @@ -79,6 +79,38 @@ # define ISSPACE(c) isspace((unsigned char)c) # define strfcpy(A,B,C) strncpy(A,B,C), *(A+(C)-1)=0 +# ifdef DEBUG +# define safe_snprintf(L,F) \ + do { \ + if (snprintf F >= (L)) { \ + mutt_error (_("String is truncated. Be careful!")); \ + if (debuglevel > 2) abort(); \ + } \ + } while (0) + +# define safe_strfcpy(D,S,L) \ + do { \ + if (strlen(S) >= (L)) { \ + mutt_error (_("String is truncated. Be careful!")); \ + if (debuglevel > 2) abort(); \ + } \ + strfcpy (D,S,L); \ + } while (0) +# else +# define safe_snprintf(L,F) \ + do { \ + if (snprintf F >= (L)) \ + mutt_error (_("String is truncated. Be careful!")); \ + } while (0) + +# define safe_strfcpy(D,S,L) \ + do { \ + if (strlen(S) >= (L)) \ + mutt_error (_("String is truncated. Be careful!")); \ + strfcpy (D,S,L); \ + } while (0) +# endif + # undef MAX # undef MIN # define MAX(a,b) ((a) < (b) ? (b) : (a)) @@ -118,6 +150,7 @@ char *mutt_substrcpy (char *, const char char *mutt_substrcpy (char *, const char *, const char *, size_t); char *mutt_substrdup (const char *, const char *); char *safe_strcat (char *, size_t, const char *); +char *strfcat (char *, size_t, const char *); char *safe_strncat (char *, size_t, const char *, size_t); char *safe_strdup (const char *); diff -r 626cd5190109 account.c --- a/account.c Wed May 01 23:24:11 2002 +0000 +++ b/account.c Mon May 29 17:19:37 2006 +0900 @@ -68,18 +68,22 @@ int mutt_account_fromurl (ACCOUNT* accou int mutt_account_fromurl (ACCOUNT* account, ciss_url_t* url) { /* must be present */ - if (url->host) + if (url->host && strlen (url->host) < sizeof (account->host)) strfcpy (account->host, url->host, sizeof (account->host)); else return -1; if (url->user) { + if (strlen (url->user) >= sizeof (account->user)) + return -1; strfcpy (account->user, url->user, sizeof (account->user)); account->flags |= M_ACCT_USER; } if (url->pass) { + if (strlen (url->pass) >= sizeof (account->pass)) + return -1; strfcpy (account->pass, url->pass, sizeof (account->pass)); account->flags |= M_ACCT_PASS; } diff -r 626cd5190109 attach.c --- a/attach.c Wed May 01 23:24:11 2002 +0000 +++ b/attach.c Mon May 29 17:19:37 2006 +0900 @@ -100,9 +100,17 @@ int mutt_compose_attachment (BODY *a) { if (entry->composetypecommand) + { + if (strlen (entry->composetypecommand) >= sizeof (command)) + goto bailout; strfcpy (command, entry->composetypecommand, sizeof (command)); + } else + { + if (strlen (entry->composecommand) >= sizeof (command)) + goto bailout; strfcpy (command, entry->composecommand, sizeof (command)); + } if (rfc1524_expand_filename (entry->nametemplate, a->filename, newfile, sizeof (newfile))) { @@ -234,6 +242,8 @@ int mutt_edit_attachment (BODY *a) if (entry->editcommand) { + if (strlen (entry->editcommand) >= sizeof (command)) + goto bailout; strfcpy (command, entry->editcommand, sizeof (command)); if (rfc1524_expand_filename (entry->nametemplate, a->filename, newfile, sizeof (newfile))) @@ -456,6 +466,11 @@ int mutt_view_attachment (FILE *fp, BODY mutt_error _("MIME type not defined. Cannot view attachment."); goto return_error; } + if (strlen (entry->command) >= sizeof (command)) + { + mutt_error _("Command too long. Cannot view attachment."); + goto return_error; + } strfcpy (command, entry->command, sizeof (command)); if (fp) @@ -981,6 +996,8 @@ int mutt_print_attachment (FILE *fp, BOD if (fp) mutt_save_attachment (fp, a, newfile, 0, NULL); + if (strlen (entry->printcommand) >= sizeof (command)) + return 0; strfcpy (command, entry->printcommand, sizeof (command)); piped = rfc1524_expand_command (a, newfile, type, command, sizeof (command)); diff -r 626cd5190109 buffy.c --- a/buffy.c Wed May 01 23:24:11 2002 +0000 +++ b/buffy.c Mon May 29 17:19:37 2006 +0900 @@ -180,6 +180,8 @@ int mutt_parse_mailboxes (BUFFER *path, while (MoreArgs (s)) { mutt_extract_token (path, s, 0); + if (strlen (path->data) >= sizeof (buf)) + return -1; strfcpy (buf, path->data, sizeof (buf)); if(data == M_UNMAILBOXES && mutt_strcmp(buf,"*") == 0) diff -r 626cd5190109 commands.c --- a/commands.c Wed May 01 23:24:11 2002 +0000 +++ b/commands.c Mon May 29 17:19:37 2006 +0900 @@ -216,8 +216,12 @@ int mutt_display_message (HEADER *cur) int r; mutt_endwin (NULL); - snprintf (buf, sizeof (buf), "%s %s", NONULL(Pager), tempfile); - if ((r = mutt_system (buf)) == -1) + if (snprintf (buf, sizeof (buf), "%s %s", NONULL(Pager), tempfile) >= sizeof (buf)) + { + r = -1; + mutt_error (_("Pager command too long!")); + } + else if ((r = mutt_system (buf)) == -1) mutt_error (_("Error running \"%s\"!"), buf); unlink (tempfile); keypad (stdscr, TRUE); diff -r 626cd5190109 compose.c --- a/compose.c Wed May 01 23:24:11 2002 +0000 +++ b/compose.c Mon May 29 17:19:37 2006 +0900 @@ -1178,8 +1178,10 @@ int mutt_compose_menu (HEADER *msg, /* case OP_COMPOSE_ISPELL: endwin (); - snprintf (buf, sizeof (buf), "%s -x %s", NONULL(Ispell), msg->content->filename); - if (mutt_system (buf) == -1) + if (snprintf (buf, sizeof (buf), "%s -x %s", NONULL(Ispell), msg->content->filename) + >= sizeof (buf)) + mutt_error (_("Ispell command too long!")); + else if (mutt_system (buf) == -1) mutt_error (_("Error running \"%s\"!"), buf); else { diff -r 626cd5190109 crypt-gpgme.c --- a/crypt-gpgme.c Wed May 01 23:24:11 2002 +0000 +++ b/crypt-gpgme.c Mon May 29 17:19:37 2006 +0900 @@ -3560,15 +3560,15 @@ static crypt_key_t *crypt_select_key (cr helpstr[0] = 0; mutt_make_help (buf, sizeof (buf), _("Exit "), menu_to_use, OP_EXIT); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Select "), menu_to_use, OP_GENERIC_SELECT_ENTRY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Check key "), menu_to_use, OP_VERIFY_KEY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Help"), menu_to_use, OP_HELP); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); menu = mutt_new_menu (); menu->max = i; @@ -4154,7 +4154,7 @@ static int gpgme_send_menu (HEADER *msg, is_smime? APPLICATION_SMIME:APPLICATION_PGP, NULL))) { - snprintf (input_signas, sizeof (input_signas), "0x%s", crypt_keyid (p)); + safe_snprintf (sizeof (input_signas), (input_signas, sizeof (input_signas), "0x%s", crypt_keyid (p))); mutt_str_replace (is_smime? &SmimeDefaultKey : &PgpSignAs, input_signas); crypt_free_key (&p); diff -r 626cd5190109 edit.c --- a/edit.c Wed May 01 23:24:11 2002 +0000 +++ b/edit.c Mon May 29 17:19:37 2006 +0900 @@ -334,7 +334,7 @@ int mutt_builtin_editor (const char *pat tmp[0] = 0; while (!done) { - if (mutt_enter_string (tmp, sizeof (tmp), LINES-1, 0, 0) == -1) + if (mutt_enter_string (tmp, sizeof (tmp) - 1, LINES-1, 0, 0) == -1) { tmp[0] = 0; continue; diff -r 626cd5190109 getdomain.c --- a/getdomain.c Wed May 01 23:24:11 2002 +0000 +++ b/getdomain.c Mon May 29 17:19:37 2006 +0900 @@ -55,6 +55,8 @@ int getdnsdomainname (char *s, size_t l) if (q) { strip_trailing_dot (q); + if (strlen (q) >= l) /* ignore too long one */ + continue; strfcpy (s, q, l); safe_fclose (&f); return 0; diff -r 626cd5190109 handler.c --- a/handler.c Wed May 01 23:24:11 2002 +0000 +++ b/handler.c Mon May 29 18:15:25 2006 +0900 @@ -1536,6 +1536,12 @@ int autoview_handler (BODY *a, STATE *s) if (entry->command) { + if (strlen (entry->command) >= sizeof (command)) + { + mutt_error (_("Autoview command: Too long.")); + rfc1524_free_entry (&entry); + return -1; + } strfcpy (command, entry->command, sizeof (command)); /* rfc1524_expand_command returns 0 if the file is required */ diff -r 626cd5190109 imap/auth_cram.c --- a/imap/auth_cram.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/auth_cram.c Mon May 29 17:19:37 2006 +0900 @@ -93,13 +93,13 @@ imap_auth_res_t imap_auth_cram_md5 (IMAP */ hmac_md5 (idata->conn->account.pass, obuf, hmac_response); /* dubious optimisation I saw elsewhere: make the whole string in one call */ - snprintf (obuf, sizeof (obuf), + safe_snprintf (sizeof (obuf), (obuf, sizeof (obuf), "%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", idata->conn->account.user, hmac_response[0], hmac_response[1], hmac_response[2], hmac_response[3], hmac_response[4], hmac_response[5], hmac_response[6], hmac_response[7], hmac_response[8], hmac_response[9], hmac_response[10], hmac_response[11], - hmac_response[12], hmac_response[13], hmac_response[14], hmac_response[15]); + hmac_response[12], hmac_response[13], hmac_response[14], hmac_response[15])); dprint(2, (debugfile, "CRAM response: %s\n", obuf)); /* XXX - ibuf must be long enough to store the base64 encoding of obuf, diff -r 626cd5190109 imap/auth_gss.c --- a/imap/auth_gss.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/auth_gss.c Mon May 29 17:19:37 2006 +0900 @@ -64,7 +64,8 @@ imap_auth_res_t imap_auth_gss (IMAP_DATA return IMAP_AUTH_FAILURE; /* get an IMAP service ticket for the server */ - snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host); + if (snprintf (buf1, sizeof (buf1), "imap@%s", idata->conn->account.host) >= sizeof (buf1)) + return IMAP_AUTH_FAILURE; request_buf.value = buf1; request_buf.length = strlen (buf1) + 1; maj_stat = gss_import_name (&min_stat, &request_buf, gss_nt_service_name, diff -r 626cd5190109 imap/auth_login.c --- a/imap/auth_login.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/auth_login.c Mon May 29 17:19:37 2006 +0900 @@ -58,8 +58,10 @@ imap_auth_res_t imap_auth_login (IMAP_DA idata->conn->account.user)); #endif - snprintf (buf, sizeof (buf), "LOGIN %s %s", q_user, q_pass); - rc = imap_exec (idata, buf, IMAP_CMD_FAIL_OK | IMAP_CMD_PASS); + if (snprintf (buf, sizeof (buf), "LOGIN %s %s", q_user, q_pass) >= sizeof (buf)) + rc = -1; + else + rc = imap_exec (idata, buf, IMAP_CMD_FAIL_OK | IMAP_CMD_PASS); if (!rc) return IMAP_AUTH_SUCCESS; diff -r 626cd5190109 imap/auth_sasl.c --- a/imap/auth_sasl.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/auth_sasl.c Mon May 29 17:19:37 2006 +0900 @@ -172,7 +172,8 @@ imap_auth_res_t imap_auth_sasl (IMAP_DAT if (irc == IMAP_CMD_RESPOND) { - strfcpy (buf + olen, "\r\n", sizeof (buf) - olen); + if (safe_strfcpy (buf + olen, "\r\n", sizeof (buf) - olen) == NULL) + goto bail; mutt_socket_write (idata->conn, buf); } diff -r 626cd5190109 imap/browse.c --- a/imap/browse.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/browse.c Mon May 29 17:19:37 2006 +0900 @@ -27,6 +27,7 @@ #include #include "mutt.h" +#include "lib.h" #include "imap_private.h" /* -- forward declarations -- */ @@ -110,7 +111,7 @@ int imap_browse (char* path, struct brow * aren't already going to */ if (mbox[n-1] != idata->delim) { - snprintf (buf, sizeof (buf), "%s \"\" \"%s\"", list_cmd, mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "%s \"\" \"%s\"", list_cmd, mbox)); imap_cmd_start (idata, buf); idata->cmddata = &list; do @@ -211,10 +212,10 @@ int imap_browse (char* path, struct brow nsup = state->entrylen; dprint (3, (debugfile, "imap_browse: Quoting mailbox scan: %s -> ", mbox)); - snprintf (buf, sizeof (buf), "%s%%", mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "%s%%", mbox)); imap_quote_string (buf2, sizeof (buf2), buf); dprint (3, (debugfile, "%s\n", buf2)); - snprintf (buf, sizeof (buf), "%s \"\" %s", list_cmd, buf2); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "%s \"\" %s", list_cmd, buf2)); if (browse_add_list_result (idata, buf, state, 0)) goto fail; @@ -582,12 +583,18 @@ static int browse_verify_namespace (IMAP * of data in some cases, I guess, but I currently feel that's better * than invisible namespaces */ if (nsi->delim) - snprintf (buf, sizeof (buf), "%s \"\" \"%s%c%%\"", + { + if (snprintf (buf, sizeof (buf), "%s \"\" \"%s%c%%\"", option (OPTIMAPLSUB) ? "LSUB" : "LIST", nsi->prefix, - nsi->delim); + nsi->delim) >= sizeof (buf)) + return -1; + } else - snprintf (buf, sizeof (buf), "%s \"\" \"%s%%\"", - option (OPTIMAPLSUB) ? "LSUB" : "LIST", nsi->prefix); + { + if (snprintf (buf, sizeof (buf), "%s \"\" \"%s%%\"", + option (OPTIMAPLSUB) ? "LSUB" : "LIST", nsi->prefix) >= sizeof (buf)) + return -1; + } imap_cmd_start (idata, buf); idata->cmddata = &list; diff -r 626cd5190109 imap/imap.c --- a/imap/imap.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/imap.c Mon May 29 17:19:37 2006 +0900 @@ -87,9 +87,9 @@ int imap_access (const char* path, int f imap_munge_mbox_name (mbox, sizeof (mbox), mailbox); if (mutt_bit_isset (idata->capabilities, IMAP4REV1)) - snprintf (buf, sizeof (buf), "STATUS %s (UIDVALIDITY)", mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "STATUS %s (UIDVALIDITY)", mbox)); else if (mutt_bit_isset (idata->capabilities, STATUS)) - snprintf (buf, sizeof (buf), "STATUS %s (UID-VALIDITY)", mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "STATUS %s (UID-VALIDITY)", mbox)); else { dprint (2, (debugfile, "imap_access: STATUS not supported?\n")); @@ -110,7 +110,7 @@ int imap_create_mailbox (IMAP_DATA* idat char buf[LONG_STRING], mbox[LONG_STRING]; imap_munge_mbox_name (mbox, sizeof (mbox), mailbox); - snprintf (buf, sizeof (buf), "CREATE %s", mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "CREATE %s", mbox)); if (imap_exec (idata, buf, 0) != 0) return -1; @@ -127,7 +127,7 @@ int imap_rename_mailbox (IMAP_DATA* idat imap_munge_mbox_name (oldmbox, sizeof (oldmbox), mx->mbox); imap_munge_mbox_name (newmbox, sizeof (newmbox), newname); - snprintf (buf, sizeof (buf), "RENAME %s %s", oldmbox, newmbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "RENAME %s %s", oldmbox, newmbox)); if (imap_exec (idata, buf, 0) != 0) return -1; @@ -152,7 +152,7 @@ int imap_delete_mailbox (CONTEXT* ctx, I } imap_munge_mbox_name (mbox, sizeof (mbox), mx.mbox); - snprintf (buf, sizeof (buf), "DELETE %s", mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "DELETE %s", mbox)); if (imap_exec ((IMAP_DATA*) idata, buf, 0) != 0) return -1; @@ -262,7 +262,7 @@ void imap_expunge_mailbox (IMAP_DATA* id #if USE_HCACHE if (hc) { - sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid); + safe_snprintf (sizeof (uidbuf), (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid)); mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen); } #endif @@ -582,7 +582,7 @@ int imap_open_mailbox (CONTEXT* ctx) /* pipeline ACL test */ if (mutt_bit_isset (idata->capabilities, ACL)) { - snprintf (bufout, sizeof (bufout), "MYRIGHTS %s", buf); + safe_snprintf (sizeof (bufout), (bufout, sizeof (bufout), "MYRIGHTS %s", buf)); imap_cmd_queue (idata, bufout); } /* assume we have all rights if ACL is unavailable */ @@ -602,8 +602,8 @@ int imap_open_mailbox (CONTEXT* ctx) && mutt_account_match (&pmx.account, &mx.account)) imap_status (Postponed, 1); - snprintf (bufout, sizeof (bufout), "%s %s", - ctx->readonly ? "EXAMINE" : "SELECT", buf); + safe_snprintf (sizeof (bufout), (bufout, sizeof (bufout), "%s %s", + ctx->readonly ? "EXAMINE" : "SELECT", buf)); idata->state = IMAP_SELECTED; @@ -975,7 +975,7 @@ int imap_sync_message (IMAP_DATA *idata, return 0; } - snprintf (uid, sizeof (uid), "%u", HEADER_DATA(hdr)->uid); + safe_snprintf (sizeof (uid), (uid, sizeof (uid), "%u", HEADER_DATA(hdr)->uid)); cmd->dptr = cmd->data; mutt_buffer_addstr (cmd, "UID STORE "); mutt_buffer_addstr (cmd, uid); @@ -1148,7 +1148,7 @@ int imap_sync_mailbox (CONTEXT* ctx, int #if USE_HCACHE if (hc && h->deleted) { - sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid); + safe_snprintf (sizeof (uidbuf), (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid)); mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen); } #endif @@ -1461,7 +1461,7 @@ int imap_buffy_check (int force) } imap_munge_mbox_name (munged, sizeof (munged), name); - snprintf (command, sizeof (command), "STATUS %s (UIDNEXT UIDVALIDITY UNSEEN)", munged); + safe_snprintf (sizeof (command), (command, sizeof (command), "STATUS %s (UIDNEXT UIDVALIDITY UNSEEN)", munged)); if (imap_cmd_queue (idata, command) < 0) { @@ -1517,7 +1517,7 @@ int imap_status (char* path, int queue) mutt_bit_isset(idata->capabilities,STATUS)) { imap_munge_mbox_name (mbox, sizeof(mbox), buf); - snprintf (buf, sizeof (buf), "STATUS %s (%s)", mbox, "MESSAGES"); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "STATUS %s (%s)", mbox, "MESSAGES")); imap_unmunge_mbox_name (mbox); } else @@ -1744,8 +1744,8 @@ int imap_subscribe (char *path, int subs memset (&token, 0, sizeof (token)); err.data = errstr; err.dsize = sizeof (errstr); - snprintf (mbox, sizeof (mbox), "%smailboxes \"%s\"", - subscribe ? "" : "un", path); + safe_snprintf (sizeof (mbox), (mbox, sizeof (mbox), "%smailboxes \"%s\"", + subscribe ? "" : "un", path)); if (mutt_parse_rc_line (mbox, &token, &err)) dprint (1, (debugfile, "Error adding subscribed mailbox: %s\n", errstr)); FREE (&token.data); @@ -1757,7 +1757,7 @@ int imap_subscribe (char *path, int subs mutt_message (_("Unsubscribing from %s..."), buf); imap_munge_mbox_name (mbox, sizeof(mbox), buf); - snprintf (buf, sizeof (buf), "%sSUBSCRIBE %s", subscribe ? "" : "UN", mbox); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "%sSUBSCRIBE %s", subscribe ? "" : "UN", mbox)); if (imap_exec (idata, buf, 0) < 0) goto fail; @@ -1880,8 +1880,8 @@ int imap_complete(char* dest, size_t dle list[0] = '\0'; /* fire off command */ - snprintf (buf, sizeof(buf), "%s \"\" \"%s%%\"", - option (OPTIMAPLSUB) ? "LSUB" : "LIST", list); + safe_snprintf (sizeof(buf), (buf, sizeof(buf), "%s \"\" \"%s%%\"", + option (OPTIMAPLSUB) ? "LSUB" : "LIST", list)); imap_cmd_start (idata, buf); diff -r 626cd5190109 imap/message.c --- a/imap/message.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/message.c Mon May 29 17:19:37 2006 +0900 @@ -82,13 +82,23 @@ int imap_read_headers (IMAP_DATA* idata, if (mutt_bit_isset (idata->capabilities,IMAP4REV1)) { - snprintf (hdrreq, sizeof (hdrreq), "BODY.PEEK[HEADER.FIELDS (%s%s%s)]", - want_headers, ImapHeaders ? " " : "", ImapHeaders ? ImapHeaders : ""); + if (snprintf (hdrreq, sizeof (hdrreq), "BODY.PEEK[HEADER.FIELDS (%s%s%s)]", + want_headers, ImapHeaders ? " " : "", ImapHeaders ? ImapHeaders : "") >= sizeof (hdrreq)) + { + mutt_error (_("imap_headers: too long.")); + mutt_sleep (2); + return -1; + } } else if (mutt_bit_isset (idata->capabilities,IMAP4)) { - snprintf (hdrreq, sizeof (hdrreq), "RFC822.HEADER.LINES (%s%s%s)", - want_headers, ImapHeaders ? " " : "", ImapHeaders ? ImapHeaders : ""); + if (snprintf (hdrreq, sizeof (hdrreq), "RFC822.HEADER.LINES (%s%s%s)", + want_headers, ImapHeaders ? " " : "", ImapHeaders ? ImapHeaders : "") >= sizeof (hdrreq)) + { + mutt_error (_("imap_headers: too long.")); + mutt_sleep (2); + return -1; + } } else { /* Unable to fetch headers for lower versions */ @@ -131,8 +141,8 @@ int imap_read_headers (IMAP_DATA* idata, } if (evalhc) { - snprintf (buf, sizeof (buf), - "UID FETCH 1:%u (UID FLAGS)", *uidnext - 1); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), + "UID FETCH 1:%u (UID FLAGS)", *uidnext - 1)); FREE (&uidnext); imap_cmd_start (idata, buf); @@ -158,7 +168,7 @@ int imap_read_headers (IMAP_DATA* idata, else if (mfhrc < 0) break; - sprintf(uid_buf, "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */ + safe_snprintf (sizeof (uid_buf), (uid_buf, sizeof (uid_buf), "/%u", h.data->uid)); /* XXX --tg 21:41 04-07-11 */ uid_validity = (unsigned int*)mutt_hcache_fetch (hc, uid_buf, &imap_hcache_keylen); if (uid_validity != NULL && *uid_validity == idata->uid_validity) @@ -225,9 +235,9 @@ int imap_read_headers (IMAP_DATA* idata, * If we get more messages while doing this, we make another * request for all the new messages. */ - snprintf (buf, sizeof (buf), + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "FETCH %d:%d (UID FLAGS INTERNALDATE RFC822.SIZE %s)", msgno + 1, - fetchlast, hdrreq); + fetchlast, hdrreq)); imap_cmd_start (idata, buf); } @@ -287,7 +297,7 @@ int imap_read_headers (IMAP_DATA* idata, ctx->hdrs[msgno]->content->length = h.content_length; #if USE_HCACHE - sprintf(uid_buf, "/%u", h.data->uid); + safe_snprintf (sizeof (uid_buf), (uid_buf, sizeof (uid_buf), "/%u", h.data->uid)); mutt_hcache_store(hc, uid_buf, ctx->hdrs[msgno], idata->uid_validity, &imap_hcache_keylen); #endif /* USE_HCACHE */ @@ -413,10 +423,10 @@ int imap_fetch_message (MESSAGE *msg, CO * command handler */ h->active = 0; - snprintf (buf, sizeof (buf), "UID FETCH %u %s", HEADER_DATA(h)->uid, + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "UID FETCH %u %s", HEADER_DATA(h)->uid, (mutt_bit_isset (idata->capabilities, IMAP4REV1) ? (option (OPTIMAPPEEK) ? "BODY.PEEK[]" : "BODY[]") : - "RFC822")); + "RFC822"))); imap_cmd_start (idata, buf); do @@ -595,13 +605,13 @@ int imap_append_message (CONTEXT *ctx, M mutt_progress_bar (&progressbar, 0); imap_munge_mbox_name (mbox, sizeof (mbox), mailbox); - snprintf (buf, sizeof (buf), "APPEND %s (%s%s%s%s%s) {%lu}", mbox, + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "APPEND %s (%s%s%s%s%s) {%lu}", mbox, msg->flags.read ? "\\Seen" : "", msg->flags.read && (msg->flags.replied || msg->flags.flagged) ? " " : "", msg->flags.replied ? "\\Answered" : "", msg->flags.replied && msg->flags.flagged ? " " : "", msg->flags.flagged ? "\\Flagged" : "", - (unsigned long) len); + (unsigned long) len)); imap_cmd_start (idata, buf); @@ -755,7 +765,7 @@ int imap_copy_messages (CONTEXT* ctx, HE else { mutt_message (_("Copying message %d to %s..."), h->index+1, mbox); - snprintf (uid, sizeof (uid), "%u", HEADER_DATA (h)->uid); + safe_snprintf (sizeof (uid), (uid, sizeof (uid), "%u", HEADER_DATA (h)->uid)); mutt_buffer_addstr (&cmd, uid); if (h->active && h->changed) @@ -851,15 +861,15 @@ static int msg_cache_path (IMAP_DATA* id account = &idata->conn->account; - snprintf (buf, len, "%s/", ImapCachedir); + safe_snprintf (len, (buf, len, "%s/", ImapCachedir)); slen = mutt_strlen (buf); if (account->flags & M_ACCT_USER) - snprintf (buf + slen, len - slen, "%s@", account->user); + safe_snprintf (len - slen, (buf + slen, len - slen, "%s@", account->user)); safe_strcat (buf, len, account->host); if (account->flags & M_ACCT_PORT) { slen = mutt_strlen (buf); - snprintf (buf + slen, len - slen, ":%hu", account->port); + safe_snprintf (len - slen, (buf + slen, len - slen, ":%hu", account->port)); } safe_strcat (buf, len, "/"); @@ -886,8 +896,8 @@ static int msg_cache_path (IMAP_DATA* id *s = '\0'; slen = mutt_strlen (buf); - snprintf (buf + slen, len - slen, "/%u-%u", idata->uid_validity, - HEADER_DATA(h)->uid); + safe_snprintf (len - slen, (buf + slen, len - slen, "/%u-%u", idata->uid_validity, + HEADER_DATA(h)->uid)); return 0; } @@ -941,6 +951,7 @@ void imap_add_keywords (char* s, HEADER* void imap_add_keywords (char* s, HEADER* h, LIST* mailbox_flags, size_t slen) { LIST *keywords; + size_t spos = strlen (s); if (!mailbox_flags || !HEADER_DATA(h) || !HEADER_DATA(h)->keywords) return; @@ -951,6 +962,13 @@ void imap_add_keywords (char* s, HEADER* { if (imap_has_flag (mailbox_flags, keywords->data)) { + spos += strlen (keywords->data); + if (spos + 1 > slen) + { + mutt_error (_("Too many tags! Truncated.")); + mutt_sleep (2); + return; + } safe_strcat (s, slen, keywords->data); safe_strcat (s, slen, " "); } diff -r 626cd5190109 imap/util.c --- a/imap/util.c Wed May 01 23:24:11 2002 +0000 +++ b/imap/util.c Mon May 29 17:19:37 2006 +0900 @@ -137,9 +137,18 @@ int imap_parse_path (const char* path, I if ((c = strrchr (tmp, '@'))) { *c = '\0'; - strfcpy (mx->account.user, tmp, sizeof (mx->account.user)); - strfcpy (tmp, c+1, sizeof (tmp)); - mx->account.flags |= M_ACCT_USER; + if (strlen (tmp) >= sizeof (mx->account.user)) + { + dprint (1, (debugfile, "imap_parse_path: too long username.\n")); + FREE (&mx->mbox); + return -1; + } + else + { + safe_strfcpy (mx->account.user, tmp, sizeof (mx->account.user)); + safe_strfcpy (tmp, c+1, sizeof (tmp)); + mx->account.flags |= M_ACCT_USER; + } } if ((n = sscanf (tmp, "%127[^:/]%127s", mx->account.host, tmp)) < 1) diff -r 626cd5190109 init.c --- a/init.c Wed May 01 23:24:11 2002 +0000 +++ b/init.c Mon May 29 17:19:37 2006 +0900 @@ -1542,7 +1542,7 @@ static void mutt_restore_default (struct { char path[_POSIX_PATH_MAX]; - strfcpy (path, (char *) p->init, sizeof (path)); + safe_strfcpy (path, (char *) p->init, sizeof (path)); mutt_expand_path (path, sizeof (path)); mutt_str_replace ((char **) p->data, path); } @@ -1821,6 +1821,11 @@ static int parse_set (BUFFER *tmp, BUFFE } else if (DTYPE (MuttVars[idx].type) == DT_PATH) { + if (strlen (tmp->data) >= sizeof (scratch)) + { + strfcpy (err->data, _("Path too long."), err->dsize); + return -1; + } strfcpy (scratch, tmp->data, sizeof (scratch)); mutt_expand_path (scratch, sizeof (scratch)); *((char **) MuttVars[idx].data) = safe_strdup (scratch); @@ -2207,6 +2212,11 @@ static int parse_source (BUFFER *tmp, BU strfcpy (err->data, _("source: too many arguments"), err->dsize); return (-1); } + if (strlen (tmp->data) >= sizeof (path)) + { + strfcpy (err->data, _("source: too long filename"), err->dsize); + return -1; + } strfcpy (path, tmp->data, sizeof (path)); mutt_expand_path (path, sizeof (path)); return (source_rc (path, err)); @@ -2762,8 +2772,8 @@ void mutt_init (int skip_sys_rc, LIST *c /* * XXX - use something even more difficult to predict? */ - snprintf (AttachmentMarker, sizeof (AttachmentMarker), - "\033]9;%ld\a", (long) time (NULL)); + safe_snprintf (sizeof (AttachmentMarker), (AttachmentMarker, sizeof (AttachmentMarker), + "\033]9;%ld\a", (long) time (NULL))); /* on one of the systems I use, getcwd() does not return the same prefix as is listed in the passwd file */ @@ -2815,7 +2825,7 @@ void mutt_init (int skip_sys_rc, LIST *c { Hostname = mutt_substrdup (utsname.nodename, p); p++; - strfcpy (buffer, p, sizeof (buffer)); /* save the domain for below */ + safe_strfcpy (buffer, p, sizeof (buffer)); /* save the domain for below */ } else Hostname = safe_strdup (utsname.nodename); @@ -2872,7 +2882,7 @@ void mutt_init (int skip_sys_rc, LIST *c { BUFFER buf, token; - snprintf (buffer, sizeof (buffer), "Reply-To: %s", p); + safe_snprintf (sizeof (buffer), (buffer, sizeof (buffer), "Reply-To: %s", p)); memset (&buf, 0, sizeof (buf)); buf.data = buf.dptr = buffer; diff -r 626cd5190109 keymap.c --- a/keymap.c Wed May 01 23:24:11 2002 +0000 +++ b/keymap.c Mon May 29 17:19:37 2006 +0900 @@ -508,7 +508,7 @@ char *km_keyname (int c) snprintf (buf, sizeof (buf), "\\%d%d%d", c >> 6, (c >> 3) & 7, c & 7); } else if (c >= KEY_F0 && c < KEY_F(256)) /* this maximum is just a guess */ - sprintf (buf, "", c - KEY_F0); + snprintf (buf, sizeof (buf), "", c - KEY_F0); else if (IsPrint (c)) snprintf (buf, sizeof (buf), "%c", (unsigned char) c); else diff -r 626cd5190109 main.c --- a/main.c Wed May 01 23:24:11 2002 +0000 +++ b/main.c Mon May 29 17:19:37 2006 +0900 @@ -578,6 +578,11 @@ int main (int argc, char **argv) break; case 'f': + if (strlen (optarg) >= sizeof (folder)) + { + fprintf (stderr, _("-f: too long: %s\n"), optarg); + exit (1); + } strfcpy (folder, optarg, sizeof (folder)); explicit_folder = 1; break; @@ -825,6 +830,13 @@ int main (int argc, char **argv) { char path[_POSIX_PATH_MAX]; + if (strlen (infile) < sizeof (path)) + { + if (!option (OPTNOCURSES)) + mutt_endwin (NULL); + fputs (_("Infile: too long filename.\n"), stderr); + exit (1); + } strfcpy (path, infile, sizeof (path)); mutt_expand_path (path, sizeof (path)); if ((fin = fopen (path, "r")) == NULL) diff -r 626cd5190109 mutt_socket.c --- a/mutt_socket.c Wed May 01 23:24:11 2002 +0000 +++ b/mutt_socket.c Mon May 29 17:19:37 2006 +0900 @@ -447,7 +447,7 @@ int raw_socket_open (CONNECTION* conn) hints.ai_socktype = SOCK_STREAM; - snprintf (port, sizeof (port), "%d", conn->account.port); + safe_snprintf (sizeof (port), (port, sizeof (port), "%d", conn->account.port)); # ifdef HAVE_LIBIDN if (idna_to_ascii_lz (conn->account.host, &host_idna, 1) != IDNA_SUCCESS) diff -r 626cd5190109 mutt_ssl.c --- a/mutt_ssl.c Wed May 01 23:24:11 2002 +0000 +++ b/mutt_ssl.c Mon May 29 17:19:37 2006 +0900 @@ -422,8 +422,8 @@ static void x509_fingerprint (char *s, i for (j = 0; j < (int) n; j++) { char ch[8]; - snprintf (ch, 8, "%02X%s", md[j], (j % 2 ? " " : "")); - safe_strcat (s, l, ch); + safe_snprintf (8, (ch, 8, "%02X%s", md[j], (j % 2 ? " " : ""))); + strfcat (s, l, ch); } } } diff -r 626cd5190109 mutt_ssl_gnutls.c --- a/mutt_ssl_gnutls.c Wed May 01 23:24:11 2002 +0000 +++ b/mutt_ssl_gnutls.c Mon May 29 17:19:37 2006 +0900 @@ -386,8 +386,8 @@ static void tls_fingerprint (gnutls_dige for (j = 0; j < (int) n; j++) { char ch[8]; - snprintf (ch, 8, "%02X%s", md[j], (j % 2 ? " " : "")); - safe_strcat (s, l, ch); + safe_snprintf (8, (ch, 8, "%02X%s", md[j], (j % 2 ? " " : ""))); + strfcat (s, l, ch); } s[2*n+n/2-1] = '\0'; /* don't want trailing space */ } diff -r 626cd5190109 muttlib.c --- a/muttlib.c Wed May 01 23:24:11 2002 +0000 +++ b/muttlib.c Mon May 29 17:19:37 2006 +0900 @@ -883,8 +883,8 @@ void mutt_expand_fmt (char *dest, size_t if (!found && destlen > 0) { - safe_strcat (dest, destlen, " "); - safe_strcat (dest, destlen, src); + strfcat (dest, destlen, " "); + strfcat (dest, destlen, src); } } diff -r 626cd5190109 mx.c --- a/mx.c Wed May 01 23:24:11 2002 +0000 +++ b/mx.c Mon May 29 17:19:37 2006 +0900 @@ -79,11 +79,11 @@ static int invoke_dotlock (const char *p char r[SHORT_STRING]; if (flags & DL_FL_RETRY) - snprintf (r, sizeof (r), "-r %d ", retry ? MAXLOCKATTEMPT : 0); + safe_snprintf (sizeof (r), (r, sizeof (r), "-r %d ", retry ? MAXLOCKATTEMPT : 0)); mutt_quote_filename (f, sizeof (f), path); - snprintf (cmd, sizeof (cmd), + safe_snprintf (sizeof (cmd), (cmd, sizeof (cmd), "%s %s%s%s%s%s%s%s", NONULL (MuttDotlock), flags & DL_FL_TRY ? "-t " : "", @@ -92,7 +92,7 @@ static int invoke_dotlock (const char *p flags & DL_FL_FORCE ? "-f " : "", flags & DL_FL_UNLINK ? "-d " : "", flags & DL_FL_RETRY ? r : "", - f); + f)); return mutt_system (cmd); } diff -r 626cd5190109 pgp.c --- a/pgp.c Wed May 01 23:24:11 2002 +0000 +++ b/pgp.c Mon May 29 17:19:37 2006 +0900 @@ -1579,8 +1579,8 @@ int pgp_send_menu (HEADER *msg, int *red if ((p = pgp_ask_for_key (_("Sign as: "), NULL, KEYFLAG_CANSIGN, PGP_PUBRING))) { - snprintf (input_signas, sizeof (input_signas), "0x%s", - pgp_keyid (p)); + safe_snprintf (sizeof (input_signas), (input_signas, sizeof (input_signas), "0x%s", + pgp_keyid (p))); mutt_str_replace (&PgpSignAs, input_signas); pgp_free_key (&p); diff -r 626cd5190109 pgpkey.c --- a/pgpkey.c Wed May 01 23:24:11 2002 +0000 +++ b/pgpkey.c Mon May 29 17:19:37 2006 +0900 @@ -512,14 +512,14 @@ static pgp_key_t pgp_select_key (pgp_key helpstr[0] = 0; mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_PGP, OP_EXIT); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Select "), MENU_PGP, OP_GENERIC_SELECT_ENTRY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Check key "), MENU_PGP, OP_VERIFY_KEY); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); mutt_make_help (buf, sizeof (buf), _("Help"), MENU_PGP, OP_HELP); - strcat (helpstr, buf); /* __STRCAT_CHECKED__ */ + strfcat (helpstr, sizeof (helpstr), buf); menu = mutt_new_menu (); menu->max = i; @@ -562,7 +562,7 @@ static pgp_key_t pgp_select_key (pgp_key mutt_message _("Invoking PGP..."); - snprintf (tmpbuf, sizeof (tmpbuf), "0x%s", pgp_keyid (pgp_principal_key (KeyTable[menu->current]->parent))); + safe_snprintf (sizeof (tmpbuf), (tmpbuf, sizeof (tmpbuf), "0x%s", pgp_keyid (pgp_principal_key (KeyTable[menu->current]->parent)))); if ((thepid = pgp_invoke_verify_key (NULL, NULL, NULL, -1, fileno (fp), fileno (devnull), tmpbuf)) == -1) @@ -725,7 +725,7 @@ BODY *pgp_make_key_attachment (char *tem if (!key) return NULL; - snprintf (tmp, sizeof (tmp), "0x%s", pgp_keyid (pgp_principal_key (key))); + safe_snprintf (sizeof (tmp), (tmp, sizeof (tmp), "0x%s", pgp_keyid (pgp_principal_key (key)))); pgp_free_key (&key); if (!tempf) diff -r 626cd5190109 pop.c --- a/pop.c Wed May 01 23:24:11 2002 +0000 +++ b/pop.c Mon May 29 17:19:37 2006 +0900 @@ -64,13 +64,13 @@ static int pop_read_header (POP_DATA *po return -3; } - snprintf (buf, sizeof (buf), "LIST %d\r\n", h->refno); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "LIST %d\r\n", h->refno)); ret = pop_query (pop_data, buf, sizeof (buf)); if (ret == 0) { sscanf (buf, "+OK %d %ld", &index, &length); - snprintf (buf, sizeof (buf), "TOP %d 0\r\n", h->refno); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "TOP %d 0\r\n", h->refno)); ret = pop_fetch_data (pop_data, buf, NULL, fetch_message, f); if (pop_data->cmd_top == 2) @@ -397,7 +397,7 @@ int pop_fetch_message (MESSAGE* msg, CON return -1; } - snprintf (buf, sizeof (buf), "RETR %d\r\n", h->refno); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "RETR %d\r\n", h->refno)); ret = pop_fetch_data (pop_data, buf, &progressbar, fetch_message, msg->fp); if (ret == 0) @@ -471,14 +471,14 @@ int pop_sync_mailbox (CONTEXT *ctx, int { if (ctx->hdrs[i]->deleted) { - snprintf (buf, sizeof (buf), "DELE %d\r\n", ctx->hdrs[i]->refno); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "DELE %d\r\n", ctx->hdrs[i]->refno)); ret = pop_query (pop_data, buf, sizeof (buf)); } } if (ret == 0) { - strfcpy (buf, "QUIT\r\n", sizeof (buf)); + safe_strfcpy (buf, "QUIT\r\n", sizeof (buf)); ret = pop_query (pop_data, buf, sizeof (buf)); } @@ -585,7 +585,7 @@ void pop_fetch_mail (void) mutt_message _("Checking for new messages..."); /* find out how many messages are in the mailbox. */ - strfcpy (buffer, "STAT\r\n", sizeof (buffer)); + safe_strfcpy (buffer, "STAT\r\n", sizeof (buffer)); ret = pop_query (pop_data, buffer, sizeof (buffer)); if (ret == -1) goto fail; @@ -600,7 +600,7 @@ void pop_fetch_mail (void) /* only get unread messages */ if (msgs > 0 && option (OPTPOPLAST)) { - strfcpy (buffer, "LAST\r\n", sizeof (buffer)); + safe_strfcpy (buffer, "LAST\r\n", sizeof (buffer)); ret = pop_query (pop_data, buffer, sizeof (buffer)); if (ret == -1) goto fail; @@ -628,7 +628,7 @@ void pop_fetch_mail (void) ret = -3; else { - snprintf (buffer, sizeof (buffer), "RETR %d\r\n", i); + safe_snprintf (sizeof (buffer), (buffer, sizeof (buffer), "RETR %d\r\n", i)); ret = pop_fetch_data (pop_data, buffer, NULL, fetch_message, msg->fp); if (ret == -3) rset = 1; @@ -645,7 +645,7 @@ void pop_fetch_mail (void) if (ret == 0 && delanswer == M_YES) { /* delete the message on the server */ - snprintf (buffer, sizeof (buffer), "DELE %d\r\n", i); + safe_snprintf (sizeof (buffer), (buffer, sizeof (buffer), "DELE %d\r\n", i)); ret = pop_query (pop_data, buffer, sizeof (buffer)); } @@ -673,14 +673,14 @@ void pop_fetch_mail (void) if (rset) { /* make sure no messages get deleted */ - strfcpy (buffer, "RSET\r\n", sizeof (buffer)); + safe_strfcpy (buffer, "RSET\r\n", sizeof (buffer)); if (pop_query (pop_data, buffer, sizeof (buffer)) == -1) goto fail; } finish: /* exit gracefully */ - strfcpy (buffer, "QUIT\r\n", sizeof (buffer)); + safe_strfcpy (buffer, "QUIT\r\n", sizeof (buffer)); if (pop_query (pop_data, buffer, sizeof (buffer)) == -1) goto fail; mutt_socket_close (conn); diff -r 626cd5190109 pop_auth.c --- a/pop_auth.c Wed May 01 23:24:11 2002 +0000 +++ b/pop_auth.c Mon May 29 17:19:37 2006 +0900 @@ -78,13 +78,13 @@ static pop_auth_res_t pop_auth_sasl (POP mutt_message _("Authenticating (SASL)..."); - snprintf (buf, sizeof (buf), "AUTH %s", mech); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "AUTH %s", mech)); olen = strlen (buf); /* looping protocol */ FOREVER { - strfcpy (buf + olen, "\r\n", sizeof (buf) - olen); + safe_strfcpy (buf + olen, "\r\n", sizeof (buf) - olen); mutt_socket_write (pop_data->conn, buf); if (mutt_socket_readln (inbuf, sizeof (inbuf), pop_data->conn) < 0) { @@ -143,7 +143,7 @@ bail: /* terminate SASL sessoin if the last responce is not +OK nor -ERR */ if (!mutt_strncmp (inbuf, "+ ", 2)) { - snprintf (buf, sizeof (buf), "*\r\n"); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "*\r\n")); if (pop_query (pop_data, buf, sizeof (buf)) == -1) return POP_A_SOCKET; } @@ -192,10 +192,10 @@ static pop_auth_res_t pop_auth_apop (POP MD5Final (digest, &mdContext); for (i = 0; i < sizeof (digest); i++) - sprintf (hash + 2 * i, "%02x", digest[i]); + snprintf (hash + 2 * i, sizeof (hash) - (2 * i), "%02x", digest[i]); /* Send APOP command to server */ - snprintf (buf, sizeof (buf), "APOP %s %s\r\n", pop_data->conn->account.user, hash); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "APOP %s %s\r\n", pop_data->conn->account.user, hash)); switch (pop_query (pop_data, buf, sizeof (buf))) { @@ -222,7 +222,7 @@ static pop_auth_res_t pop_auth_user (POP mutt_message _("Logging in..."); - snprintf (buf, sizeof (buf), "USER %s\r\n", pop_data->conn->account.user); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "USER %s\r\n", pop_data->conn->account.user)); ret = pop_query (pop_data, buf, sizeof (buf)); if (pop_data->cmd_user == 2) @@ -246,7 +246,7 @@ static pop_auth_res_t pop_auth_user (POP if (ret == 0) { - snprintf (buf, sizeof (buf), "PASS %s\r\n", pop_data->conn->account.pass); + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "PASS %s\r\n", pop_data->conn->account.pass)); ret = pop_query_d (pop_data, buf, sizeof (buf), #ifdef DEBUG /* don't print the password unless we're at the ungodly debugging level */ diff -r 626cd5190109 pop_lib.c --- a/pop_lib.c Wed May 01 23:24:11 2002 +0000 +++ b/pop_lib.c Mon May 29 17:19:37 2006 +0900 @@ -165,7 +165,7 @@ static int pop_capabilities (POP_DATA *p /* Execute CAPA command */ if (mode == 0 || pop_data->cmd_capa) { - strfcpy (buf, "CAPA\r\n", sizeof (buf)); + safe_strfcpy (buf, "CAPA\r\n", sizeof (buf)); switch (pop_fetch_data (pop_data, buf, NULL, fetch_capa, pop_data)) { case 0: @@ -185,7 +185,7 @@ static int pop_capabilities (POP_DATA *p pop_data->cmd_uidl = 2; pop_data->cmd_top = 2; - strfcpy (buf, "AUTH\r\n", sizeof (buf)); + safe_strfcpy (buf, "AUTH\r\n", sizeof (buf)); if (pop_fetch_data (pop_data, buf, NULL, fetch_auth, pop_data) == -1) return -1; } @@ -292,7 +292,7 @@ int pop_open_connection (POP_DATA *pop_d } if (pop_data->use_stls == 2) { - strfcpy (buf, "STLS\r\n", sizeof (buf)); + safe_strfcpy (buf, "STLS\r\n", sizeof (buf)); ret = pop_query (pop_data, buf, sizeof (buf)); if (ret == -1) goto err_conn; @@ -349,7 +349,7 @@ int pop_open_connection (POP_DATA *pop_d } /* get total size of mailbox */ - strfcpy (buf, "STAT\r\n", sizeof (buf)); + safe_strfcpy (buf, "STAT\r\n", sizeof (buf)); ret = pop_query (pop_data, buf, sizeof (buf)); if (ret == -1) goto err_conn; @@ -384,13 +384,13 @@ void pop_logout (CONTEXT *ctx) if (ctx->readonly) { - strfcpy (buf, "RSET\r\n", sizeof (buf)); + safe_strfcpy (buf, "RSET\r\n", sizeof (buf)); ret = pop_query (pop_data, buf, sizeof (buf)); } if (ret != -1) { - strfcpy (buf, "QUIT\r\n", sizeof (buf)); + safe_strfcpy (buf, "QUIT\r\n", sizeof (buf)); pop_query (pop_data, buf, sizeof (buf)); } @@ -461,7 +461,7 @@ int pop_fetch_data (POP_DATA *pop_data, long pos = 0; size_t lenbuf = 0; - strfcpy (buf, query, sizeof (buf)); + safe_strfcpy (buf, query, sizeof (buf)); ret = pop_query (pop_data, buf, sizeof (buf)); if (ret < 0) return ret; diff -r 626cd5190109 rfc1524.c --- a/rfc1524.c Wed May 01 23:24:11 2002 +0000 +++ b/rfc1524.c Mon May 29 17:19:37 2006 +0900 @@ -90,7 +90,7 @@ int rfc1524_expand_command (BODY *a, cha param[z] = '\0'; _pvalue = mutt_get_parameter (param, a->parameter); - strfcpy (pvalue, NONULL(_pvalue), sizeof (pvalue)); + safe_strfcpy (pvalue, NONULL(_pvalue), sizeof (pvalue)); if (option (OPTMAILCAPSANITIZE)) mutt_sanitize_filename (pvalue, 0); @@ -111,7 +111,13 @@ int rfc1524_expand_command (BODY *a, cha buf[y++] = command[x++]; } buf[y] = '\0'; - strfcpy (command, buf, clen); + if (y < clen) + strfcpy (command, buf, clen); + else + { + mutt_error (_("MIME command too long.")); + command[0] = '\0'; + } return needspipe; } diff -r 626cd5190109 rfc2231.c --- a/rfc2231.c Wed May 01 23:24:11 2002 +0000 +++ b/rfc2231.c Mon May 29 17:19:37 2006 +0900 @@ -348,14 +348,15 @@ int rfc2231_encode_string (char **pd) if (encode) { - e = safe_malloc (dlen + 2*ext + strlen (charset) + 3); - sprintf (e, "%s''", charset); /* __SPRINTF_CHECKED__ */ + size_t elen = dlen + 2*ext + strlen (charset) + 3; + e = safe_malloc (elen); + safe_snprintf (elen, (e, elen, "%s''", charset)); t = e + strlen (e); for (s = d, slen = dlen; slen; s++, slen--) if (*s < 0x20 || *s >= 0x7f || strchr (MimeSpecials, *s) || strchr ("*'%", *s)) { - sprintf (t, "%%%02X", (unsigned char)*s); + safe_snprintf (elen - (t - e), (t, elen - (t - e), "%%%02X", (unsigned char)*s)); t += 3; } else diff -r 626cd5190109 sendlib.c --- a/sendlib.c Wed May 01 23:24:11 2002 +0000 +++ b/sendlib.c Mon May 29 17:19:37 2006 +0900 @@ -327,7 +327,7 @@ int mutt_write_mime_header (BODY *a, FIL */ if (!ascii_strcasecmp (p->attribute, "boundary") && !strcmp (buffer, tmp)) - snprintf (buffer, sizeof (buffer), "\"%s\"", tmp); + safe_snprintf (sizeof (buffer), (buffer, sizeof (buffer), "\"%s\"", tmp)); FREE (&tmp); @@ -1719,9 +1719,9 @@ char *mutt_gen_msgid (void) if(!(fqdn = mutt_fqdn(0))) fqdn = NONULL(Hostname); - snprintf (buf, sizeof (buf), "<%d%02d%02d%02d%02d%02d.G%c%u@%s>", + safe_snprintf (sizeof (buf), (buf, sizeof (buf), "<%d%02d%02d%02d%02d%02d.G%c%u@%s>", tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, - tm->tm_min, tm->tm_sec, MsgIdPfx, (unsigned int)getpid (), fqdn); + tm->tm_min, tm->tm_sec, MsgIdPfx, (unsigned int)getpid (), fqdn)); MsgIdPfx = (MsgIdPfx == 'Z') ? 'A' : MsgIdPfx + 1; return (safe_strdup (buf)); } diff -r 626cd5190109 smime.c --- a/smime.c Wed May 01 23:24:11 2002 +0000 +++ b/smime.c Mon May 29 17:19:37 2006 +0900 @@ -465,7 +465,7 @@ char* smime_ask_for_key (char *prompt, c } if (hash) { fname = safe_malloc(13); /* Hash + '.' + Suffix + \0 */ - sprintf(fname, "%.8x.%i", Table[cur].hash, Table[cur].suffix); + safe_snprintf (13, (fname, 13, "%.8x.%i", Table[cur].hash, Table[cur].suffix)); } else fname = NULL;