Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
mutt.23793
uudecode-e5ed080c.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File uudecode-e5ed080c.patch of Package mutt.23793
From e5ed080c00e59701ca62ef9b2a6d2612ebf765a5 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy <kevin@8t8.us> Date: Tue, 5 Apr 2022 11:05:52 -0700 Subject: [PATCH] Fix uudecode buffer overflow. mutt_decode_uuencoded() used each line's initial "length character" without any validation. It would happily read past the end of the input line, and with a suitable value even past the length of the input buffer. As I noted in ticket 404, there are several other changes that could be added to make the parser more robust. However, to avoid accidentally introducing another bug or regression, I'm restricting this patch to simply addressing the overflow. Thanks to Tavis Ormandy for reporting the issue, along with a sample message demonstrating the problem. --- handler.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git handler.c handler.c index d1b4bc73..c97cf0cb 100644 --- handler.c +++ handler.c @@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd) pt = tmps; linelen = decode_byte (*pt); pt++; - for (c = 0; c < linelen;) + for (c = 0; c < linelen && *pt;) { - for (l = 2; l <= 6; l += 2) + for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2) { out = decode_byte (*pt) << l; pt++; -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor