From: Timo Sirainen Date: Tue, 22 Nov 2016 16:33:12 +0000 (+0200) Subject: lib-mail: Fix assert-crash in mail_html2text_more() with invalid input. X-Git-Tag: 2.2.27~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=582003e3dd2ccc7846c4ee4a8eae054cb2a5339f;p=thirdparty%2Fdovecot%2Fcore.git lib-mail: Fix assert-crash in mail_html2text_more() with invalid input. parse_data() continues forward thinking that it might have valid input, until it has enough data and realizes that there's nothing valid. This triggers: Panic: file mail-html2text.c: line 312 (mail_html2text_more): assertion failed: (pos >= buf_orig_size) --- diff --git a/src/lib-mail/mail-html2text.c b/src/lib-mail/mail-html2text.c index f15acf2d05..ddde6bd6a2 100644 --- a/src/lib-mail/mail-html2text.c +++ b/src/lib-mail/mail-html2text.c @@ -307,18 +307,22 @@ void mail_html2text_more(struct mail_html2text *ht, buffer_append(ht->input, data, inc_size); pos = parse_data(ht, ht->input->data, ht->input->used, output); - if (pos != 0) { - /* we parsed forward */ - i_assert(pos >= buf_orig_size); - data += pos - buf_orig_size; - size -= pos - buf_orig_size; - buffer_set_used_size(ht->input, 0); - } else { + if (pos == 0) { /* we need to add more data into buffer */ data += inc_size; size -= inc_size; if (size == 0) return; + } else if (pos >= buf_orig_size) { + /* we parsed forward */ + data += pos - buf_orig_size; + size -= pos - buf_orig_size; + buffer_set_used_size(ht->input, 0); + } else { + /* invalid input - eat away what we parsed so far + and retry */ + buffer_set_used_size(ht->input, buf_orig_size); + buffer_delete(ht->input, 0, pos); } } pos = parse_data(ht, data, size, output); diff --git a/src/lib-mail/test-mail-html2text.c b/src/lib-mail/test-mail-html2text.c index 190a0740ec..953b26e2cb 100644 --- a/src/lib-mail/test-mail-html2text.c +++ b/src/lib-mail/test-mail-html2text.c @@ -10,6 +10,8 @@ static struct { const char *input; const char *output; } tests[] = { + { "&&aaaaaaaaaa", "" }, + { "a&<♣>b", "a&<\xE2\x99\xA3>b" }, { "&", "" },