From 25412109321aa575647f21b7b8b9f11634071f26 Mon Sep 17 00:00:00 2001 From: Georg Sauthoff Date: Fri, 8 Feb 2019 14:57:51 +0100 Subject: [PATCH 09/11] Fix buffer overflow in add_buff (#122) cf. https://sourceforge.net/p/bogofilter/bugs/122/ --- src/buff.c | 2 +- src/lexer.c | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/buff.c b/src/buff.c index 5342cd2..c325945 100644 --- a/src/buff.c +++ b/src/buff.c @@ -58,7 +58,7 @@ int buff_add(buff_t *self, word_t *in) int readcnt = in->leng; uint new_size = self->t.leng + in->leng; if (new_size > self->size) { - self->t.u.text = xrealloc(self->t.u.text, new_size); + self->t.u.text = xrealloc(self->t.u.text, new_size + D); self->size = new_size; } self->read = readpos; diff --git a/src/lexer.c b/src/lexer.c index 63bd4cb..60692b6 100644 --- a/src/lexer.c +++ b/src/lexer.c @@ -152,12 +152,14 @@ static int get_decoded_line(buff_t *buff) { int count; buff_t *linebuff; + // since msg_state might change during calls + bool mime_dont_decode = msg_state->mime_dont_decode; #ifdef DISABLE_UNICODE linebuff = buff; #else if (encoding == E_RAW || - msg_state->mime_dont_decode ) { + mime_dont_decode ) { linebuff = buff; } else { @@ -180,6 +182,8 @@ static int get_decoded_line(buff_t *buff) } #endif + // note that this call might invoke got_mimeboundary() thus + // changing the global msg_state variable count = yy_get_new_line(linebuff); if (count == EOF) { @@ -200,7 +204,7 @@ static int get_decoded_line(buff_t *buff) textblock_add(linebuff->t.u.text+linebuff->read, (size_t) count); if ( !msg_header && - !msg_state->mime_dont_decode && + !mime_dont_decode && msg_state->mime_type != MIME_TYPE_UNKNOWN) { word_t temp; @@ -221,7 +225,7 @@ static int get_decoded_line(buff_t *buff) #ifndef DISABLE_UNICODE if (encoding == E_UNICODE && - !msg_state->mime_dont_decode && + !mime_dont_decode && count > 0) { iconvert(linebuff, buff); -- 2.20.1