debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch

   1 From bf485bf34df3fc2214765497a5552851c6a8977a Mon Sep 17 00:00:00 2001
   2 From: Jeremy Harris <jgh146exb@wizmail.org>
   3 Date: Tue, 30 Dec 2014 20:39:02 +0000
   4 Subject: [PATCH] Fix crash in mime acl when a parameter is unterminated
   5
   6 Verified-by: Wolfgang Breyha <wbreyha@gmx.net>
   7 ---
   8  src/mime.c                  | 33 +++++++++++----------------------
   9  test/confs/4000                 |  1 +
  10  test/log/4000                   |  9 ++++++---
  11  test/mail/4000.userx            | 36 ++++++++++++++++++++++++++++++++++++
  12  test/scripts/4000-scanning/4000 | 27 +++++++++++++++++++++++++++
  13  test/stdout/4000                | 11 +++++++++++
  14  6 files changed, 92 insertions(+), 25 deletions(-)
  15
  16 diff --git a/src/mime.c b/src/mime.c
  17 index a61e9f2..e5fe476 100644
  18 --- a/src/mime.c
  19 +++ b/src/mime.c
  20 @@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH:
  21             /* found an interesting parameter? */
  22             if (strncmpic(mp->name, p, mp->namelen) == 0)
  23               {
  24 -             uschar * q = p + mp->namelen;
  25 -             int plen = 0;
  26               int size = 0;
  27               int ptr = 0;
  28
  29               /* yes, grab the value and copy to its corresponding expansion variable */
  30 -             while(*q && *q != ';')            /* ; terminates */
  31 -               if (*q == '"')
  32 +             p += mp->namelen;
  33 +             while(*p && *p != ';')            /* ; terminates */
  34 +               if (*p == '"')
  35                   {
  36 -                 q++;                          /* skip leading " */
  37 -                 plen++;                       /* and account for the skip */
  38 -                 while(*q && *q != '"')        /* " protects ; */
  39 -                   {
  40 -                   param_value = string_cat(param_value, &size, &ptr, q++, 1);
  41 -                   plen++;
  42 -                   }
  43 -                 if (*q)
  44 -                   {
  45 -                   q++;                        /* skip trailing " */
  46 -                   plen++;
  47 -                   }
  48 +                 p++;                          /* skip leading " */
  49 +                 while(*p && *p != '"')        /* " protects ; */
  50 +                   param_value = string_cat(param_value, &size, &ptr, p++, 1);
  51 +                 if (*p) p++;                  /* skip trailing " */
  52                   }
  53                 else
  54 -                 {
  55 -                 param_value = string_cat(param_value, &size, &ptr, q++, 1);
  56 -                 plen++;
  57 -                 }
  58 +                 param_value = string_cat(param_value, &size, &ptr, p++, 1);
  59 +             if (*p) p++;                      /* skip trailing ; */
  60
  61               if (param_value)
  62                 {
  63 +               uschar * dummy;
  64                 param_value[ptr++] = '\0';
  65
  66                 param_value = rfc2047_decode(param_value,
  67 -                     check_rfc2047_length, NULL, 32, NULL, &q);
  68 +                     check_rfc2047_length, NULL, 32, NULL, &dummy);
  69                 debug_printf("Found %s MIME parameter in %s header, "
  70                       "value is '%s'\n", mp->name, mime_header_list[i].name,
  71                       param_value);
  72                 }
  73               *mp->value = param_value;
  74 -             p += mp->namelen + plen + 1;      /* name=, content, ; */
  75               goto NEXT_PARAM_SEARCH;
  76             }
  77           }