Commit | Line | Data |
---|---|---|
89fb561f AM |
1 | Description: Fix base64d() buffer size (CVE-2018-6789) |
2 | Credits for discovering this bug: Meh Chang <meh@devco.re> | |
3 | Origin: vendor | |
4 | Bug-Debian: https://bugs.debian.org/890000 | |
5 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6789 | |
6 | Forwarded: not-needed | |
7 | Author: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> | |
8 | Last-Update: 2018-02-10 | |
9 | --- | |
10 | ||
11 | --- a/src/base64.c | |
12 | +++ b/src/base64.c | |
13 | @@ -152,10 +152,14 @@ static uschar dec64table[] = { | |
14 | int | |
15 | b64decode(uschar *code, uschar **ptr) | |
16 | { | |
17 | + | |
18 | int x, y; | |
19 | -uschar *result = store_get(3*(Ustrlen(code)/4) + 1); | |
20 | +uschar *result; | |
21 | ||
22 | -*ptr = result; | |
23 | +{ | |
24 | + int l = Ustrlen(code); | |
25 | + *ptr = result = store_get(1 + l/4 * 3 + l%4); | |
26 | +} | |
27 | ||
28 | /* Each cycle of the loop handles a quantum of 4 input bytes. For the last | |
29 | quantum this may decode to 1, 2, or 3 output bytes. */ |