1 From bf485bf34df3fc2214765497a5552851c6a8977a Mon Sep 17 00:00:00 2001
2 From: Jeremy Harris <jgh146exb@wizmail.org>
3 Date: Tue, 30 Dec 2014 20:39:02 +0000
4 Subject: [PATCH] Fix crash in mime acl when a parameter is unterminated
6 Verified-by: Wolfgang Breyha <wbreyha@gmx.net>
8 src/mime.c | 33 +++++++++++----------------------
10 test/log/4000 | 9 ++++++---
11 test/mail/4000.userx | 36 ++++++++++++++++++++++++++++++++++++
12 test/scripts/4000-scanning/4000 | 27 +++++++++++++++++++++++++++
13 test/stdout/4000 | 11 +++++++++++
14 6 files changed, 92 insertions(+), 25 deletions(-)
16 diff --git a/src/mime.c b/src/mime.c
17 index a61e9f2..e5fe476 100644
20 @@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH:
21 /* found an interesting parameter? */
22 if (strncmpic(mp->name, p, mp->namelen) == 0)
24 - uschar * q = p + mp->namelen;
29 /* yes, grab the value and copy to its corresponding expansion variable */
30 - while(*q && *q != ';') /* ; terminates */
33 + while(*p && *p != ';') /* ; terminates */
36 - q++; /* skip leading " */
37 - plen++; /* and account for the skip */
38 - while(*q && *q != '"') /* " protects ; */
40 - param_value = string_cat(param_value, &size, &ptr, q++, 1);
45 - q++; /* skip trailing " */
48 + p++; /* skip leading " */
49 + while(*p && *p != '"') /* " protects ; */
50 + param_value = string_cat(param_value, &size, &ptr, p++, 1);
51 + if (*p) p++; /* skip trailing " */
55 - param_value = string_cat(param_value, &size, &ptr, q++, 1);
58 + param_value = string_cat(param_value, &size, &ptr, p++, 1);
59 + if (*p) p++; /* skip trailing ; */
64 param_value[ptr++] = '\0';
66 param_value = rfc2047_decode(param_value,
67 - check_rfc2047_length, NULL, 32, NULL, &q);
68 + check_rfc2047_length, NULL, 32, NULL, &dummy);
69 debug_printf("Found %s MIME parameter in %s header, "
70 "value is '%s'\n", mp->name, mime_header_list[i].name,
73 *mp->value = param_value;
74 - p += mp->namelen + plen + 1; /* name=, content, ; */
75 goto NEXT_PARAM_SEARCH;