Pull request #4826: Chunked MIME boundary

Merge in SNORT/snort3 from ~OSHUMEIK/snort3:mime_boundary to master

Squashed commit of the following:

commit 1ea9887bbf77202ff36f915722c58eb193f31bd6
Author: Oleksii Shumeiko <oshumeik@cisco.com>
Date:   Mon Jul 21 18:37:19 2025 +0300

    mime: fix out-of-bounds in case of short boundary chunks

diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc
index 9dbd0627e959d4fabb510560b89b9fc4a2658848..b7e8da6401011f04ebbd3288a3be163436b362a7 100644 (file)
--- a/src/mime/file_mime_process.cc
+++ b/src/mime/file_mime_process.cc
@@ -459,7 +459,7 @@ const uint8_t* MimeSession::process_mime_body(const uint8_t* ptr,
 {
     auto data_size = data_end - ptr;
 
-    if (partial_data && mime_boundary.boundary_search_len < data_size)
+    if (partial_data)
     {
         delete[] rebuilt_data;
         rebuilt_data = new uint8_t[partial_data_len + data_size];
@@ -474,7 +474,9 @@ const uint8_t* MimeSession::process_mime_body(const uint8_t* ptr,
         partial_data_len = 0;
     }
 
-    const uint8_t* attach_end = isFileEnd(position) && mime_boundary.boundary_search_len < data_size
+    assert(isFileEnd(position) or mime_boundary.boundary_search_len <= data_size);
+
+    const uint8_t* attach_end = isFileEnd(position)
         ? GetDataEnd(ptr, ptr + data_size) : ptr + data_size - mime_boundary.boundary_search_len;
 
     if (!isFileEnd(position)
@@ -484,6 +486,9 @@ const uint8_t* MimeSession::process_mime_body(const uint8_t* ptr,
         partial_data_len = mime_boundary.boundary_search_len;
         partial_data = new uint8_t[partial_data_len];
         memcpy(partial_data, attach_end, partial_data_len);
+
+        assert(ptr <= attach_end);
+        assert(ptr + data_size == attach_end + partial_data_len);
     }
 
     if (ptr < attach_end && decode_state)