bogofilter/0009-Fix-buffer-overflow-in-add_buff-122.patch

From 25412109321aa575647f21b7b8b9f11634071f26 Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 14:57:51 +0100
Subject: [PATCH 09/11] Fix buffer overflow in add_buff (#122)

cf. https://sourceforge.net/p/bogofilter/bugs/122/
---
 src/buff.c  |  2 +-
 src/lexer.c | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/buff.c b/src/buff.c
index 5342cd2..c325945 100644
--- a/src/buff.c
+++ b/src/buff.c
@@ -58,7 +58,7 @@ int buff_add(buff_t *self, word_t *in)
     int readcnt = in->leng;
     uint new_size = self->t.leng + in->leng;
     if (new_size > self->size) {
-	self->t.u.text = xrealloc(self->t.u.text, new_size);
+	self->t.u.text = xrealloc(self->t.u.text, new_size + D);
 	self->size = new_size;
     }
     self->read = readpos;
diff --git a/src/lexer.c b/src/lexer.c
index 63bd4cb..60692b6 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -152,12 +152,14 @@ static int get_decoded_line(buff_t *buff)
 {
     int count;
     buff_t *linebuff;
+    // since msg_state might change during calls
+    bool mime_dont_decode = msg_state->mime_dont_decode;
 
 #ifdef	DISABLE_UNICODE
     linebuff = buff;
 #else
     if (encoding == E_RAW ||
-	msg_state->mime_dont_decode ) {
+	mime_dont_decode ) {
 	linebuff = buff;
     }
     else {
@@ -180,6 +182,8 @@ static int get_decoded_line(buff_t *buff)
     }
 #endif
 
+    // note that this call might invoke got_mimeboundary() thus
+    // changing the global msg_state variable
     count = yy_get_new_line(linebuff);
 
     if (count == EOF) {
@@ -200,7 +204,7 @@ static int get_decoded_line(buff_t *buff)
 	textblock_add(linebuff->t.u.text+linebuff->read, (size_t) count);
 
     if ( !msg_header && 
-	 !msg_state->mime_dont_decode &&
+	 !mime_dont_decode &&
 	 msg_state->mime_type != MIME_TYPE_UNKNOWN)
     {
 	word_t temp;
@@ -221,7 +225,7 @@ static int get_decoded_line(buff_t *buff)
 
 #ifndef	DISABLE_UNICODE
     if (encoding == E_UNICODE &&
-	!msg_state->mime_dont_decode &&
+	!mime_dont_decode &&
         count > 0)
     {
 	iconvert(linebuff, buff);
-- 
2.20.1