38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
|
From d75eaee07138aa661b5c8b49242d20ba95894efb Mon Sep 17 00:00:00 2001
|
||
|
From: Kevin McCarthy <kevin@8t8.us>
|
||
|
Date: Sun, 3 Sep 2023 14:11:48 +0800
|
||
|
Subject: [PATCH] (CVE-2023-4874) Fix write_one_header() illegal header check.
|
||
|
|
||
|
This is another crash caused by the rfc2047 decoding bug fixed in the
|
||
|
second prior commit.
|
||
|
|
||
|
In this case, an empty header line followed by a header line starting
|
||
|
with ":", would result in t==end.
|
||
|
|
||
|
The mutt_substrdup() further below would go very badly at that point,
|
||
|
with t >= end+1. This could result in either a memcpy onto NULL or a
|
||
|
huge malloc call.
|
||
|
|
||
|
Thanks to Chenyuan Mi (@morningbread) for giving a working example
|
||
|
draft message of the rfc2047 decoding flaw. This allowed me, with
|
||
|
further testing, to discover this additional crash bug.
|
||
|
|
||
|
(cherry picked from commit a4752eb0ae0a521eec02e59e51ae5daedf74fda0)
|
||
|
---
|
||
|
sendlib.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/sendlib.c b/sendlib.c
|
||
|
index b0b94b4f..7d2feb62 100644
|
||
|
--- a/sendlib.c
|
||
|
+++ b/sendlib.c
|
||
|
@@ -2121,7 +2121,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
|
||
|
else
|
||
|
{
|
||
|
t = strchr (start, ':');
|
||
|
- if (!t || t > end)
|
||
|
+ if (!t || t >= end)
|
||
|
{
|
||
|
dprint (1, (debugfile, "mwoh: warning: header not in "
|
||
|
"'key: value' format!\n"));
|