From d9eb04e6a0d6cd3d66fa8c33a088df44b9f0fbbd Mon Sep 17 00:00:00 2001 From: "Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco)" Date: Tue, 22 Jul 2025 15:26:15 +0000 Subject: [PATCH] Pull request #4826: Chunked MIME boundary Merge in SNORT/snort3 from ~OSHUMEIK/snort3:mime_boundary to master Squashed commit of the following: commit 1ea9887bbf77202ff36f915722c58eb193f31bd6 Author: Oleksii Shumeiko Date: Mon Jul 21 18:37:19 2025 +0300 mime: fix out-of-bounds in case of short boundary chunks --- src/mime/file_mime_process.cc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc index 9dbd0627e..b7e8da640 100644 --- a/src/mime/file_mime_process.cc +++ b/src/mime/file_mime_process.cc @@ -459,7 +459,7 @@ const uint8_t* MimeSession::process_mime_body(const uint8_t* ptr, { auto data_size = data_end - ptr; - if (partial_data && mime_boundary.boundary_search_len < data_size) + if (partial_data) { delete[] rebuilt_data; rebuilt_data = new uint8_t[partial_data_len + data_size]; @@ -474,7 +474,9 @@ const uint8_t* MimeSession::process_mime_body(const uint8_t* ptr, partial_data_len = 0; } - const uint8_t* attach_end = isFileEnd(position) && mime_boundary.boundary_search_len < data_size + assert(isFileEnd(position) or mime_boundary.boundary_search_len <= data_size); + + const uint8_t* attach_end = isFileEnd(position) ? GetDataEnd(ptr, ptr + data_size) : ptr + data_size - mime_boundary.boundary_search_len; if (!isFileEnd(position) @@ -484,6 +486,9 @@ const uint8_t* MimeSession::process_mime_body(const uint8_t* ptr, partial_data_len = mime_boundary.boundary_search_len; partial_data = new uint8_t[partial_data_len]; memcpy(partial_data, attach_end, partial_data_len); + + assert(ptr <= attach_end); + assert(ptr + data_size == attach_end + partial_data_len); } if (ptr < attach_end && decode_state) -- 2.47.3