1 files changed, 48 insertions, 0 deletions

diff --git a/patch.r7030 b/patch.r7030
new file mode 100644
index 0000000..1465e8a
--- /dev/null
+++ b/patch.r7030
@@ -0,0 +1,48 @@
+Index: bogofilter/src/lexer.c
+===================================================================
+--- bogofilter/src/lexer.c	(revision 7029)
++++ bogofilter/src/lexer.c	(revision 7030)
+@@ -329,7 +329,7 @@
+ 	count += cnt;
+ 
+ 	/* Note: some malformed messages can cause xfgetsl() to report
+-	** "Invalid buffer size, exiting."  ** and then abort.  This
++	** "Invalid buffer size, exiting."  and then abort.  This
+ 	** can happen when the parser is in html mode and there's a
+ 	** leading '<' but no closing '>'.
+ 	**
+@@ -343,9 +343,12 @@
+ 
+ 	if (count >= MAX_TOKEN_LEN * 2 && 
+ 	    long_token(buff.t.u.text, (uint) count)) {
+-	    uint start = buff.t.leng - count;
+-	    uint length = count - max_token_len;
+-	    buff_shift(&buff, start, length);
++	    /* Make sure not to shift bytes outside the buffer */
++	    if (buff.t.leng >= (uint) count) {
++		    uint start = buff.t.leng - count;
++		    uint length = count - max_token_len;
++		    buff_shift(&buff, start, length);
++	    }
+ 	    count = buff.t.leng;
+ 	}
+ 	else
+Index: bogofilter/NEWS
+===================================================================
+--- bogofilter/NEWS	(revision 7029)
++++ bogofilter/NEWS	(revision 7030)
+@@ -15,6 +15,14 @@
+ 
+ -------------------------------------------------------------------------------
+ 
++	2015-02-28
++
++	* Fix the lexer to not try to delete parts from HTML tokens if it is
++	  reading garbage (for instance, binary files misdeclared as HTML).
++	  This was exposed on Fedora 20 and 21 but not Ubuntu 14.04 (x86_64),
++	  and is possibly related to its newer flex 2.5.37 that may have
++	  changed the way it uses yyinput() a bit.  Reported by Matt Garretson.
++
+ 	2015-02-25
+ 
+ 	* Fix the lexer to handle MIME multipart messages properly when the