From: Santiago Vila <sanvila@debian.org>
Subject: Modified mailfold.c to fix a segfault problem
X-Debian-version: 3.22-2

--- src/mailfold.c.orig
+++ src/mailfold.c
@@ -378,7 +378,8 @@
 	dfilled=mailread=0;
      else if(rhead)				/* only read in a new header */
       { memblk new;
-	dfilled=mailread=0;makeblock(&new,0);readdyn(&new,&dfilled,0);
+	dfilled=mailread=0;makeblock(&new,0);
+	readdyn(&new,&dfilled,thebody-themail.p);
 	if(tobesent>dfilled&&isprivate)		     /* put it in place here */
 	 { tmemmove(themail.p+dfilled,thebody,filled-=tobesent);
 	   tmemmove(themail.p,new.p,dfilled);

From: Santiago Vila <sanvila@debian.org>
Subject: Fix memory allocation bug in pipes.c
Bug-Debian: http://bugs.debian.org/171514
X-Debian-version: 3.22-5

--- src/pipes.c.orig
+++ src/pipes.c
@@ -194,7 +194,7 @@
      makeblock(&temp,Stdfilled);
      tmemmove(temp.p,Stdout,Stdfilled);
      readdyn(&temp,&Stdfilled,Stdfilled+backlen+1);
-     Stdout=realloc(Stdout,&Stdfilled+1);
+     Stdout=realloc(Stdout,Stdfilled+1);
      tmemmove(Stdout,temp.p,Stdfilled+1);
      freeblock(&temp);
      retStdout(Stdout,pwait&&pipw,!backblock);

From: Santiago Vila <sanvila@debian.org>
Subject: Fixed off-by-1 memory allocation error
Bug-Debian: http://bugs.debian.org/474298
Bug-Debian: http://bugs.debian.org/484352
X-Debian-version: 3.22-17

--- src/mailfold.c.orig
+++ src/mailfold.c
@@ -205,7 +205,7 @@
   if(linkfolder)		    /* any additional directories specified? */
    { size_t blen;
      if(blen=Tmnate-linkfolder)		       /* copy the names into safety */
-	Tmnate=(linkfolder=tmemmove(malloc(blen),linkfolder,blen))+blen;
+	Tmnate=(linkfolder=tmemmove(malloc(blen+1),linkfolder,blen))+blen;
      else
 	linkfolder=0;
    }

From: Tero Marttila <terom@fixme.fi>
Subject: Fix off-by-one error that makes procmail to segfault on certain .procmailrc files
X-Debian-version: 3.22-23

--- src/cstdio.c.orig
+++ src/cstdio.c
@@ -144,7 +144,7 @@
       { case '\n':case EOF:*q='\0';
 	   return overflow?-1:p!=q;	     /* did we read anything at all? */
       }
-     if(q==end)	    /* check here so that a trailing backslash won't be lost */
+     if(q>=end)	    /* check here so that a trailing backslash won't be lost */
 	q=p,overflow=1;
      *q++=i;
    }
@@ -199,7 +199,7 @@
 	   if(*(target=strchr(target,'\0')-1)=='\\')
 	    { if(chp2!=target)				  /* non-empty line? */
 		 target++;		      /* then preserve the backslash */
-	      if(target>end-2)			  /* space enough for getbl? */
+	      if(target>=end-2)			  /* space enough for getbl? */
 		 target=end-linebuf,overflow=1;		/* toss what we have */
 	      continue;
 	    }

From: Jan Darmochwal <jdarmochwal@gmx.de>
Subject: formail memory corruption fixes
X-Debian-version: 3.22-24

--- src/formail.c.orig
+++ src/formail.c
@@ -219,7 +219,7 @@
   if(i>=0&&(i!=maxindex(sest)||fldp==rdheader))		  /* found anything? */
    { char*saddr;char*tmp;			     /* determine the weight */
      nowm=areply&&headreply?headreply==1?sest[i].wrepl:sest[i].wrrepl:i;chp+=j;
-     tmp=malloc(j=fldp->Tot_len-j);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0';
+     tmp=malloc((j=fldp->Tot_len-j) + 1);tmemmove(tmp,chp,j);(chp=tmp)[j-1]='\0';
      if(sest[i].head==From_)
       { char*pastad;
 	if(strchr(saddr=chp,'\n'))		     /* multiple From_ lines */
--- src/formisc.c.orig
+++ src/formisc.c
@@ -66,7 +66,7 @@
 retz:	      *target='\0';
 ret:	      return start;
 	    }
-	   if(*start=='\\')
+	   if(*start=='\\' && *(start + 1))
 	      *target++='\\',start++;
 	   hitspc=2;
 	   goto normal;					      /* normal word */