|
 |
c1a25a |
From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001
|
|
|
c1a25a |
From: Kevin McCarthy <kevin@8t8.us>
|
|
|
c1a25a |
Date: Tue, 5 Apr 2022 11:05:52 -0700
|
|
|
c1a25a |
Subject: [PATCH] Fix uudecode buffer overflow.
|
|
|
c1a25a |
|
|
|
c1a25a |
mutt_decode_uuencoded() used each line's initial "length character"
|
|
|
c1a25a |
without any validation. It would happily read past the end of the
|
|
|
c1a25a |
input line, and with a suitable value even past the length of the
|
|
|
c1a25a |
input buffer.
|
|
|
c1a25a |
|
|
|
c1a25a |
As I noted in ticket 404, there are several other changes that could
|
|
|
c1a25a |
be added to make the parser more robust. However, to avoid
|
|
|
c1a25a |
accidentally introducing another bug or regression, I'm restricting
|
|
|
c1a25a |
this patch to simply addressing the overflow.
|
|
|
c1a25a |
|
|
|
c1a25a |
Thanks to Tavis Ormandy for reporting the issue, along with a sample
|
|
|
c1a25a |
message demonstrating the problem.
|
|
|
c1a25a |
---
|
|
|
c1a25a |
handler.c | 4 ++--
|
|
|
c1a25a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
c1a25a |
|
|
|
c1a25a |
diff --git a/handler.c b/handler.c
|
|
|
c1a25a |
index d1b4bc73..c97cf0cb 100644
|
|
|
c1a25a |
--- a/handler.c
|
|
|
c1a25a |
+++ b/handler.c
|
|
|
c1a25a |
@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
|
|
|
c1a25a |
pt = tmps;
|
|
|
c1a25a |
linelen = decode_byte (*pt);
|
|
|
c1a25a |
pt++;
|
|
|
c1a25a |
- for (c = 0; c < linelen;)
|
|
|
c1a25a |
+ for (c = 0; c < linelen && *pt;)
|
|
|
c1a25a |
{
|
|
|
c1a25a |
- for (l = 2; l <= 6; l += 2)
|
|
|
c1a25a |
+ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
|
|
|
c1a25a |
{
|
|
|
c1a25a |
out = decode_byte (*pt) << l;
|
|
|
c1a25a |
pt++;
|
|
|
c1a25a |
--
|
|
|
c1a25a |
2.34.1
|
|
|
c1a25a |
|