fix (another) out-of-bounds access in CRLF conversion

if the header contained no CRs but the body (or the post-TUID part of the header) did, the TUID insertion would add an excess CR, thus overflowing the buffer by one byte.
2011-03-27 10:52:47 +02:00 · 2011-03-27 10:52:47 +02:00 · 8df1ebaf40
commit 8df1ebaf40
parent 39006d7f24
1 changed files with 7 additions and 7 deletions
--- a/src/sync.c
+++ b/src/sync.c
@ -211,7 +211,7 @@ msg_fetched( int sts, void *aux )
 	copy_vars_t *vars = (copy_vars_t *)aux;
 	SVARS(vars->aux)
 	char *fmap, *buf;
-	int i, len, extra, scr, tcr, lcrs, crs, lines;
+	int i, len, extra, scr, tcr, lcrs, hcrs, bcrs, lines;
 	int start, sbreak = 0, ebreak = 0;
 	char c;
@ -224,7 +224,7 @@ msg_fetched( int sts, void *aux )
 		if (vars->srec || scr != tcr) {
 			fmap = vars->data.data;
 			len = vars->data.len;
-			extra = lines = crs = i = 0;
+			extra = lines = hcrs = bcrs = i = 0;
 			if (vars->srec) {
 			  nloop:
 				start = i;
@ -239,7 +239,7 @@ msg_fetched( int sts, void *aux )
 							goto oke;
 						}
 						lines++;
-						crs += lcrs;
+						hcrs += lcrs;
 						if (i - lcrs - 1 == start) {
 							sbreak = ebreak = start;
 							goto oke;
@ -253,17 +253,17 @@ msg_fetched( int sts, void *aux )
 				free( fmap );
 				return vars->cb( SYNC_NOGOOD, 0, vars );
 			  oke:
-				extra += 8 + TUIDL + 1 + (tcr && crs);
+				extra += 8 + TUIDL + 1 + (tcr && hcrs);
 			}
 			if (tcr != scr) {
 				for (; i < len; i++) {
 					c = fmap[i];
 					if (c == '\r')
-						crs++;
+						bcrs++;
 					else if (c == '\n')
 						lines++;
 				}
-				extra -= crs;
+				extra -= hcrs + bcrs;
 				if (tcr)
 					extra += lines;
 			}
@ -294,7 +294,7 @@ msg_fetched( int sts, void *aux )
 				buf += 8;
 				memcpy( buf, vars->srec->tuid, TUIDL );
 				buf += TUIDL;
-				if (tcr && crs)
+				if (tcr && hcrs)
 					*buf++ = '\r';
 				*buf++ = '\n';
 				i = ebreak;