From 0a6c61a564fc1582e6c22860a799887133a681ac Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 26 Jun 2022 02:29:34 +0200 Subject: [PATCH] smtp/mime: fix parsing edge case Correctly track "remaining" bytes after partial base64 decoding. Add comment clarifications and debug validation checks. (cherry picked from commit 5953a7d2ebd20be2a9f578fae66face4e172b678) --- src/util-decode-mime.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c index 66c1ee21f0..cdb8f336da 100644 --- a/src/util-decode-mime.c +++ b/src/util-decode-mime.c @@ -1322,7 +1322,10 @@ static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len, return MIME_DEC_OK; } - /* First process remaining from previous line */ + /* First process remaining from previous line. We will consume + * state->bvremain, filling it from 'buf' until we have a properly + * sized block. Spaces are skipped (rfc2045). If state->bvr_len + * is not 0 after procesing we have no data left at 'buf'. */ if (state->bvr_len > 0) { uint32_t consumed = ProcessBase64Remainder(buf, len, state, 0); DEBUG_VALIDATE_BUG_ON(consumed > len); @@ -1331,10 +1334,14 @@ static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len, uint32_t left = len - consumed; if (left < B64_BLOCK) { + DEBUG_VALIDATE_BUG_ON(left + state->bvr_len > B64_BLOCK); + if (left + state->bvr_len > B64_BLOCK) + return MIME_DEC_ERR_PARSE; memcpy(state->bvremain, buf + consumed, left); - state->bvr_len = left; + state->bvr_len += left; return MIME_DEC_OK; } + remaining -= consumed; offset = consumed; } -- 2.47.2