]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 26fde3e)
lib-mail: Fix read overflow / crash in message_header_decode()
authorTimo Sirainen <timo.sirainen@dovecot.fi>
Fri, 24 Mar 2017 12:46:05 +0000 (14:46 +0200)
committerTimo Sirainen <timo.sirainen@dovecot.fi>
Mon, 27 Mar 2017 10:06:24 +0000 (13:06 +0300)
If the input string was "=?charset?Q|B?text?", the code attempted to look up
the character after it. And if it was "=", the callback was called with
size=-1, which ends up in a crash.

src/lib-mail/message-header-decode.c patch | blob | blame | history
src/lib-mail/test-message-header-decode.c patch | blob | blame | history

diff --git a/src/lib-mail/message-header-decode.c b/src/lib-mail/message-header-decode.c
index 46372b8587c589a50855ac2225774a4dde15d76d..fb25decbd56a83ba36b14d40ad9bebea19dbf335 100644 (file)
--- a/src/lib-mail/message-header-decode.c
+++ b/src/lib-mail/message-header-decode.c
@@ -24,7 +24,7 @@ message_header_decode_encoded(const unsigned char *data, size_t size,
                                break;
                }
        }
-       if (i == size || data[i+1] != '=') {
+       if (i+1 >= size || data[i+1] != '=') {
                /* invalid block */
                return 0;
        }
@@ -128,6 +128,7 @@ void message_header_decode(const unsigned char *data, size_t size,
        }
 
        if (size != start_pos) {
+               i_assert(size > start_pos);
                (void)callback(data + start_pos, size - start_pos,
                               NULL, context);
        }
diff --git a/src/lib-mail/test-message-header-decode.c b/src/lib-mail/test-message-header-decode.c
index 901fb61f7a4c7f95451816c91ef9b861b3127818..31b9aec596d6b6819a90b72b246b3c6bcd8d5874 100644 (file)
--- a/src/lib-mail/test-message-header-decode.c
+++ b/src/lib-mail/test-message-header-decode.c
@@ -50,6 +50,16 @@ static void test_message_header_decode(void)
        test_end();
 }
 
+static void test_message_header_decode_read_overflow(void)
+{
+       const unsigned char input[] = "=?utf-8?Q?=EF?=";
+       string_t *dest = t_str_new(32);
+
+       test_begin("message header decode read overflow");
+       message_header_decode_utf8(input, sizeof(input)-2, dest, NULL);
+       test_end();
+}
+
 static void test_message_header_decode_encode_random(void)
 {
        string_t *encoded, *decoded;
@@ -94,6 +104,7 @@ int main(void)
 {
        static void (*test_functions[])(void) = {
                test_message_header_decode,
+               test_message_header_decode_read_overflow,
                test_message_header_decode_encode_random,
                NULL
        };
Mirror of https://github.com/dovecot/core.git