Commit ee7cb4e4 authored by Pietro Cerutti's avatar Pietro Cerutti Committed by Richard Russon
Browse files

Fix uudecode buffer overflow

mutt_decode_uuencoded() used each line's initial "length character"
without any validation.  It would happily read past the end of the
input line, and with a suitable value even past the length of the
input buffer.

As I noted in ticket 404, there are several other changes that could
be added to make the parser more robust.  However, to avoid
accidentally introducing another bug or regression, I'm restricting
this patch to simply addressing the overflow.

Thanks to Tavis Ormandy for reporting the issue, along with a sample
message demonstrating the problem.

Upstream-commit: muttmua/mutt@e5ed080c

Co-authored-by: Kevin J. McCarthy's avatarKevin McCarthy <kevin@8t8.us>
parent e13d420c
...@@ -390,9 +390,9 @@ static void decode_uuencoded(struct State *s, long len, bool istext, iconv_t cd) ...@@ -390,9 +390,9 @@ static void decode_uuencoded(struct State *s, long len, bool istext, iconv_t cd)
pt = tmps; pt = tmps;
const unsigned char linelen = decode_byte(*pt); const unsigned char linelen = decode_byte(*pt);
pt++; pt++;
for (unsigned char c = 0; c < linelen;) for (unsigned char c = 0; (c < linelen) && *pt;)
{ {
for (char l = 2; l <= 6; l += 2) for (char l = 2; (l <= 6) && pt[0] && pt[1]; l += 2)
{ {
char out = decode_byte(*pt) << l; char out = decode_byte(*pt) << l;
pt++; pt++;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment