From a90589add0207b02385596c870c86dd9ea183347 Mon Sep 17 00:00:00 2001
From: Antonio Radici <antonio@dyne.org>
Date: Sun, 31 Jan 2010 15:24:41 +0000
Subject: [PATCH 1/1] upstream/553321-ansi-escape-segfault.patch: prevent mutt
 from segfaulting with large ASCII escape sequences (Closes: 553321)

---
 debian/changelog                                |  2 ++
 debian/patches/series                           |  1 +
 .../upstream/553321-ansi-escape-segfault.patch  | 17 +++++++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 debian/patches/upstream/553321-ansi-escape-segfault.patch

diff --git a/debian/changelog b/debian/changelog
index 6923b39..bc98d66 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ mutt (1.5.20-7) unstable; urgency=low
   * debian/patches:
     + upstream/548494-swedish-intl.patch: fixes to Swedish translation 
       (Closes: 548494)
+    + upstream/553321-ansi-escape-segfault.patch: prevent mutt from segfaulting
+      with large ASCII escape sequences (Closes: 553321)
   * debian/control: 
     + bumping Standards-Version to 3.8.4, nothing to be done
     + adding ${misc:Depends} to make lintian happy
diff --git a/debian/patches/series b/debian/patches/series
index 67b4dd0..2257aa7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -51,6 +51,7 @@ upstream/544794-smtp-batch.patch
 upstream/537694-segv-imap-headers.patch
 upstream/548577-gpgme-1.2.patch
 upstream/548494-swedish-intl.patch
+upstream/553321-ansi-escape-segfault.patch
 
 misc/hyphen-as-minus.patch
 #misc/manpage-typos.patch
diff --git a/debian/patches/upstream/553321-ansi-escape-segfault.patch b/debian/patches/upstream/553321-ansi-escape-segfault.patch
new file mode 100644
index 0000000..85a8788
--- /dev/null
+++ b/debian/patches/upstream/553321-ansi-escape-segfault.patch
@@ -0,0 +1,17 @@
+This patch prevents mutt from crashing when *buf is freed, the root cause is the
+fact that an adjacent memory segment (*fmt) overruns and overwrite prev_size
+field in the heap.
+
+The bug and the patch were forwarded upstream, see http://bugs.mutt.org/3371
+
+--- a/pager.c
++++ b/pager.c
+@@ -1028,7 +1028,7 @@
+     q = *fmt;
+     while (*p)
+     {
+-      if (*p == '\010' && (p > *buf))
++      if (*p == '\010' && (p > *buf) && (q > *fmt))
+       {
+ 	if (*(p+1) == '_')	/* underline */
+ 	  p += 2;
-- 
2.43.0