90 lines
2.8 KiB
Diff
90 lines
2.8 KiB
Diff
From db3f056da3b16afa09bf807c717664689d35bdcb Mon Sep 17 00:00:00 2001
|
|
From: Georg Sauthoff <mail@georg.so>
|
|
Date: Fri, 8 Feb 2019 19:12:29 +0100
|
|
Subject: [PATCH 10/11] Fix fill_buf heap-buffer-overflow (#123)
|
|
|
|
cf. https://sourceforge.net/p/bogofilter/bugs/123/
|
|
---
|
|
src/lexer.c | 27 +++++++++++++++------------
|
|
1 file changed, 15 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/src/lexer.c b/src/lexer.c
|
|
index 60692b6..b7b4b3b 100644
|
|
--- a/src/lexer.c
|
|
+++ b/src/lexer.c
|
|
@@ -11,6 +11,7 @@
|
|
|
|
#include <ctype.h>
|
|
#include <stdlib.h>
|
|
+#include <assert.h>
|
|
|
|
#include "base64.h"
|
|
#include "bogoconfig.h"
|
|
@@ -234,18 +235,16 @@ static int get_decoded_line(buff_t *buff)
|
|
* no more bytes left to read, even though before the iconvert
|
|
* call we had a positive number of bytes. This *will* lead to
|
|
* a message truncation which we try to avoid by simply
|
|
- * returning the original input buffer (which has positive
|
|
- * length) instead. */
|
|
+ * returning another in-band error code. */
|
|
if(buff->t.leng == 0) {
|
|
- memcpy(buff, linebuff, sizeof(*buff));
|
|
- *linebuff = (const buff_t){0};
|
|
+ count = -2;
|
|
+ } else {
|
|
+ /*
|
|
+ * iconvert, treating multi-byte sequences, can shrink or enlarge
|
|
+ * the output compared to its input. Correct count.
|
|
+ */
|
|
+ count = buff->t.leng;
|
|
}
|
|
-
|
|
- /*
|
|
- * iconvert, treating multi-byte sequences, can shrink or enlarge
|
|
- * the output compared to its input. Correct count.
|
|
- */
|
|
- count = buff->t.leng;
|
|
}
|
|
#endif
|
|
|
|
@@ -299,7 +298,9 @@ int buff_fill(buff_t *buff, size_t used, size_t need)
|
|
while (size - leng > 2 && need > leng - used) {
|
|
/* too few, read more */
|
|
int add = get_decoded_line(buff);
|
|
+ // get_decoded_line never returns EOF!?!
|
|
if (add == EOF) return EOF;
|
|
+ if (add == -2) continue;
|
|
if (add == 0) break ;
|
|
cnt += add;
|
|
leng += add;
|
|
@@ -332,8 +333,8 @@ int yyinput(byte *buf, size_t used, size_t size)
|
|
*/
|
|
|
|
while ((cnt = get_decoded_line(&buff)) != 0) {
|
|
-
|
|
- count += cnt;
|
|
+ if (cnt > 0)
|
|
+ count += cnt;
|
|
|
|
/* Note: some malformed messages can cause xfgetsl() to report
|
|
** "Invalid buffer size, exiting." and then abort. This
|
|
@@ -365,6 +366,7 @@ int yyinput(byte *buf, size_t used, size_t size)
|
|
if (msg_state &&
|
|
msg_state->mime_dont_decode &&
|
|
(msg_state->mime_disposition != MIME_DISPOSITION_UNKNOWN)) {
|
|
+ assert(count <= (int)size);
|
|
return (count == EOF ? 0 : count); /* not decode at all */
|
|
}
|
|
|
|
@@ -386,6 +388,7 @@ int yyinput(byte *buf, size_t used, size_t size)
|
|
if (DEBUG_LEXER(2))
|
|
fprintf(dbgout, "*** yyinput(\"%-.*s\", %lu, %lu) = %d\n", count, buf, (unsigned long)used, (unsigned long)size, count);
|
|
|
|
+ assert(count <= (int)size);
|
|
return (count == EOF ? 0 : count);
|
|
}
|
|
|
|
--
|
|
2.20.1
|
|
|