Mutt overflows if you have a Name with a long string of ampersands,
like "x&&&&&&&&&&&&...&&&", where the ampersands expand to greater
than 256. Crashes on startup. There is also a chance of an
unterminated string, fixed as well.
A similar fix in -stable mutt is needed.
-Ray-
Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/mutt/snapshot/Makefile,v
retrieving revision 1.40
diff -u -p -r1.40 Makefile
--- Makefile 2 Aug 2006 14:30:09 -0000 1.40
+++ Makefile 2 May 2007 22:03:14 -0000
@@ -4,6 +4,7 @@ COMMENT= "tty-based e-mail client, devel
VERSION= 1.5.12
DISTNAME= mutt-${VERSION}
+PKGNAME= ${DISTNAME}p0
MASTER_SITES= ${MASTER_SITES_MUTT:=devel/}
FLAVORS= hcache idn sidebar
Index: patches/patch-muttlib_c
===================================================================
RCS file: patches/patch-muttlib_c
diff -N patches/patch-muttlib_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-muttlib_c 2 May 2007 22:03:14 -0000
@@ -0,0 +1,25 @@
+$OpenBSD$
+--- muttlib.c.orig Wed May 2 17:30:25 2007
++++ muttlib.c Wed May 2 17:48:19 2007
+@@ -532,16 +532,19 @@ char *mutt_gecos_name (char *dest, size_t destlen, str
+
+ pwnl = strlen (pw->pw_name);
+
+- for (idx = 0; dest[idx]; idx++)
++ for (idx = 0; dest[idx] && idx < destlen; idx++)
+ {
+ if (dest[idx] == '&')
+ {
+- memmove (&dest[idx + pwnl], &dest[idx + 1],
++ /* Don't move if destination is outside buffer. */
++ if (idx + pwnl < destlen)
++ memmove (&dest[idx + pwnl], &dest[idx + 1],
+ MAX(destlen - idx - pwnl - 1, 0));
+ memcpy (&dest[idx], pw->pw_name, MIN(destlen - idx - 1, pwnl));
+ dest[idx] = toupper ((unsigned char) dest[idx]);
+ }
+ }
++ dest[idx] = '\0';
+
+ return dest;
+ }
