[hcoop/debian/exim4.git] / debian / patches / 82_Fix-base64d-buffer-size-CVE-2018-6789.patch

Description: Fix base64d() buffer size (CVE-2018-6789)
 Credits for discovering this bug: Meh Chang <meh@devco.re>
Origin: vendor
Bug-Debian: https://bugs.debian.org/890000
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6789
Forwarded: not-needed
Author: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Last-Update: 2018-02-10
---

--- a/src/base64.c
+++ b/src/base64.c
@@ -152,10 +152,14 @@ static uschar dec64table[] = {
 int
 b64decode(uschar *code, uschar **ptr)
 {
+
 int x, y;
-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
+uschar *result;
 
-*ptr = result;
+{
+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4);
+}
 
 /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
 quantum this may decode to 1, 2, or 3 output bytes. */
Commit	Line	Data
89fb561f AM	1	Description: Fix base64d() buffer size (CVE-2018-6789)
	2	Credits for discovering this bug: Meh Chang <meh@devco.re>
	3	Origin: vendor
	4	Bug-Debian: https://bugs.debian.org/890000
	5	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6789
	6	Forwarded: not-needed
	7	Author: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
	8	Last-Update: 2018-02-10
	9	---
	10
	11	--- a/src/base64.c
	12	+++ b/src/base64.c
	13	@@ -152,10 +152,14 @@ static uschar dec64table[] = {
	14	int
	15	b64decode(uschar code, uschar *ptr)
	16	{
	17	+
	18	int x, y;
	19	-uschar result = store_get(3(Ustrlen(code)/4) + 1);
	20	+uschar *result;
	21
	22	-*ptr = result;
	23	+{
	24	+ int l = Ustrlen(code);
	25	+ ptr = result = store_get(1 + l/4 3 + l%4);
	26	+}
	27
	28	/* Each cycle of the loop handles a quantum of 4 input bytes. For the last
	29	quantum this may decode to 1, 2, or 3 output bytes. */