41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
|
From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001
|
||
|
From: Kevin McCarthy <kevin@8t8.us>
|
||
|
Date: Tue, 5 Apr 2022 11:05:52 -0700
|
||
|
Subject: [PATCH] Fix uudecode buffer overflow.
|
||
|
|
||
|
mutt_decode_uuencoded() used each line's initial "length character"
|
||
|
without any validation. It would happily read past the end of the
|
||
|
input line, and with a suitable value even past the length of the
|
||
|
input buffer.
|
||
|
|
||
|
As I noted in ticket 404, there are several other changes that could
|
||
|
be added to make the parser more robust. However, to avoid
|
||
|
accidentally introducing another bug or regression, I'm restricting
|
||
|
this patch to simply addressing the overflow.
|
||
|
|
||
|
Thanks to Tavis Ormandy for reporting the issue, along with a sample
|
||
|
message demonstrating the problem.
|
||
|
---
|
||
|
handler.c | 4 ++--
|
||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/handler.c b/handler.c
|
||
|
index d1b4bc73..c97cf0cb 100644
|
||
|
--- a/handler.c
|
||
|
+++ b/handler.c
|
||
|
@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
|
||
|
pt = tmps;
|
||
|
linelen = decode_byte (*pt);
|
||
|
pt++;
|
||
|
- for (c = 0; c < linelen;)
|
||
|
+ for (c = 0; c < linelen && *pt;)
|
||
|
{
|
||
|
- for (l = 2; l <= 6; l += 2)
|
||
|
+ for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
|
||
|
{
|
||
|
out = decode_byte (*pt) << l;
|
||
|
pt++;
|
||
|
--
|
||
|
2.34.1
|
||
|
|