Jedi/Sector One <j@pureftpd.org> reported the following
on the full-disclosure list:
Every document is stored in multiple parts according to
its sections (description, body, etc) in databases. And
when the content has to be sent to the client,
UdmDocToTextBuf() concatenates those parts together and
skips metadata.
Unfortunately, that function lacks bounds checking and
a buffer overflow can be triggered by indexing a large
enough document.
'len' is fixed to 10K [in UdmDocToTextBuf] in searchd.c
. S->val length depends on the length of the original
document and on the indexer settings (the sample
configuration file has low limits that work around the
bug, though).
Exploitation should be easy, moreover textbuf points to
the stack.