Commit e5ed080c authored by Kevin J. McCarthy's avatar Kevin J. McCarthy
Browse files

Fix uudecode buffer overflow.

mutt_decode_uuencoded() used each line's initial "length character"
without any validation.  It would happily read past the end of the
input line, and with a suitable value even past the length of the
input buffer.

As I noted in ticket 404, there are several other changes that could
be added to make the parser more robust.  However, to avoid
accidentally introducing another bug or regression, I'm restricting
this patch to simply addressing the overflow.

Thanks to Tavis Ormandy for reporting the issue, along with a sample
message demonstrating the problem.
parent aa28abe8
......@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
pt = tmps;
linelen = decode_byte (*pt);
pt++;
for (c = 0; c < linelen;)
for (c = 0; c < linelen && *pt;)
{
for (l = 2; l <= 6; l += 2)
for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
{
out = decode_byte (*pt) << l;
pt++;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment