[gmime: 15/24] Fix out-of-bounds read in decode_quoted_string()

From: Jeffrey Stedfast <fejj src gnome org>
To: commits-list gnome org
Cc:
Subject: [gmime: 15/24] Fix out-of-bounds read in decode_quoted_string()
Date: Sat, 26 Aug 2017 13:21:00 +0000 (UTC)

commit c34f4186fa3491bcfab102cb9f1534614d38f564
Author: Jakub Wilk <jwilk jwilk net>
Date:   Mon Jul 31 00:00:15 2017 +0200

    Fix out-of-bounds read in decode_quoted_string()
    
    If a malformed header ended right after backslash, the original code
    would jump over the terminating null byte.

 gmime/gmime-param.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/gmime/gmime-param.c b/gmime/gmime-param.c
index 8cf4732..29b44eb 100644
--- a/gmime/gmime-param.c
+++ b/gmime/gmime-param.c
@@ -903,7 +903,7 @@ decode_quoted_string (const char **in)
        start = inptr++;
        
        while (*inptr && *inptr != '"') {
-               if (*inptr++ == '\\') {
+               if (*inptr++ == '\\' && *inptr) {
                        unescape = TRUE;
                        inptr++;
                }
@@ -925,7 +925,8 @@ decode_quoted_string (const char **in)
                while (*inptr) {
                        if (*inptr == '\\')
                                inptr++;
-                       *outptr++ = *inptr++;
+                       if (*inptr)
+                               *outptr++ = *inptr++;
                }
                
                *outptr = '\0';

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]