smtp/mime: fix parsing edge case

Correctly track "remaining" bytes after partial base64 decoding.

Add comment clarifications and debug validation checks.

(cherry picked from commit 5953a7d2ebd20be2a9f578fae66face4e172b678)

diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c
index edbd666ec8bcb2c6cb83d40784a0b9c40f15af08..150fac9957be8f630bfa7472ce1513691f2bf954 100644 (file)
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@@ -1323,7 +1323,10 @@ static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len,
         return MIME_DEC_OK;
     }
 
-    /* First process remaining from previous line */
+    /* First process remaining from previous line. We will consume
+     * state->bvremain, filling it from 'buf' until we have a properly
+     * sized block. Spaces are skipped (rfc2045). If state->bvr_len
+     * is not 0 after procesing we have no data left at 'buf'. */
     if (state->bvr_len > 0) {
         uint32_t consumed = ProcessBase64Remainder(buf, len, state, 0);
         DEBUG_VALIDATE_BUG_ON(consumed > len);
@@ -1332,10 +1335,14 @@ static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len,
 
         uint32_t left = len - consumed;
         if (left < B64_BLOCK) {
+            DEBUG_VALIDATE_BUG_ON(left + state->bvr_len > B64_BLOCK);
+            if (left + state->bvr_len > B64_BLOCK)
+                return MIME_DEC_ERR_PARSE;
             memcpy(state->bvremain, buf + consumed, left);
-            state->bvr_len = left;
+            state->bvr_len += left;
             return MIME_DEC_OK;
         }
+
         remaining -= consumed;
         offset = consumed;
     }