1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
From db3f056da3b16afa09bf807c717664689d35bdcb Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 19:12:29 +0100
Subject: [PATCH 10/11] Fix fill_buf heap-buffer-overflow (#123)
cf. https://sourceforge.net/p/bogofilter/bugs/123/
---
src/lexer.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/lexer.c b/src/lexer.c
index 60692b6..b7b4b3b 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -11,6 +11,7 @@
#include <ctype.h>
#include <stdlib.h>
+#include <assert.h>
#include "base64.h"
#include "bogoconfig.h"
@@ -234,18 +235,16 @@ static int get_decoded_line(buff_t *buff)
* no more bytes left to read, even though before the iconvert
* call we had a positive number of bytes. This *will* lead to
* a message truncation which we try to avoid by simply
- * returning the original input buffer (which has positive
- * length) instead. */
+ * returning another in-band error code. */
if(buff->t.leng == 0) {
- memcpy(buff, linebuff, sizeof(*buff));
- *linebuff = (const buff_t){0};
+ count = -2;
+ } else {
+ /*
+ * iconvert, treating multi-byte sequences, can shrink or enlarge
+ * the output compared to its input. Correct count.
+ */
+ count = buff->t.leng;
}
-
- /*
- * iconvert, treating multi-byte sequences, can shrink or enlarge
- * the output compared to its input. Correct count.
- */
- count = buff->t.leng;
}
#endif
@@ -299,7 +298,9 @@ int buff_fill(buff_t *buff, size_t used, size_t need)
while (size - leng > 2 && need > leng - used) {
/* too few, read more */
int add = get_decoded_line(buff);
+ // get_decoded_line never returns EOF!?!
if (add == EOF) return EOF;
+ if (add == -2) continue;
if (add == 0) break ;
cnt += add;
leng += add;
@@ -332,8 +333,8 @@ int yyinput(byte *buf, size_t used, size_t size)
*/
while ((cnt = get_decoded_line(&buff)) != 0) {
-
- count += cnt;
+ if (cnt > 0)
+ count += cnt;
/* Note: some malformed messages can cause xfgetsl() to report
** "Invalid buffer size, exiting." and then abort. This
@@ -365,6 +366,7 @@ int yyinput(byte *buf, size_t used, size_t size)
if (msg_state &&
msg_state->mime_dont_decode &&
(msg_state->mime_disposition != MIME_DISPOSITION_UNKNOWN)) {
+ assert(count <= (int)size);
return (count == EOF ? 0 : count); /* not decode at all */
}
@@ -386,6 +388,7 @@ int yyinput(byte *buf, size_t used, size_t size)
if (DEBUG_LEXER(2))
fprintf(dbgout, "*** yyinput(\"%-.*s\", %lu, %lu) = %d\n", count, buf, (unsigned long)used, (unsigned long)size, count);
+ assert(count <= (int)size);
return (count == EOF ? 0 : count);
}
--
2.20.1
|
