CVE request: mutt: heap-based buffer overflow in mutt_substrdup()

[Murray McAllister <mmcallis () redhat com>]

Good morning,

Jakub Wilk reported a crash in mutt:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771125

Looking in mutt-1.5.23-2.fc20.x86_64:

char *mutt_substrdup (const char *begin, const char *end)
{
  size_t len;
  char *p;

  if (end)
    len = end - begin;
  else
    len = strlen (begin);

  p = safe_malloc (len + 1);
  memcpy (p, begin, len);
  p[len] = 0;
  return p;
}

"end" can be less than "begin", and in this case -1 tries to be stored 
in the unsigned int len. The safe_malloc will therefore be called with 
"0" (due to the +1), and then the following memcpy will use the huge len.

(gdb) b mutt_substrdup
Breakpoint 1 at 0x46daf0: file lib.c, line 814.
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (
    begin=begin@entry=0xe4b630 "From jwilk () jwilk net Wed Nov 26 
18:01:22 2014\nFrom:\n\rI\n",
    end=end@entry=0xe4b65e "From:\n\rI\n") at lib.c:814
814     {
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (begin=begin@entry=0xe4b65e "From:\n\rI\n",
    end=end@entry=0xe4b662 ":\n\rI\n") at lib.c:814
814     {
(gdb) c
Continuing.

Breakpoint 1, mutt_substrdup (begin=0xe4b665 "I\n", 
end=end@entry=0xe4b664 "\rI\n") at lib.c:814
814     {
(gdb) x/s begin
0xe4b665:       "I\n"
(gdb) x/s end
0xe4b664:       "\rI\n"
(gdb) n
818       if (end)
(gdb) n
819         len = end - begin;
(gdb) n
823       p = safe_malloc (len + 1);
(gdb) p len
$1 = 18446744073709551615
(gdb) p len + 1
$2 = 0

We haven't looked yet where the overlap occurs, nor have a patch yet.

I did have to put "set weed=off" in .muttrc for the issue to present.

Cheers,

--
Murray McAllister / Red Hat Product Security