[gmime: 14/24] Fix out-of-bounds read in tokenize_rfc2047_phrase()
- From: Jeffrey Stedfast <fejj src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gmime: 14/24] Fix out-of-bounds read in tokenize_rfc2047_phrase()
- Date: Sat, 26 Aug 2017 13:20:55 +0000 (UTC)
commit 1845550cc2149cb1085d8a9155803e9830f95461
Author: Jakub Wilk <jwilk jwilk net>
Date: Sun Jul 30 23:45:36 2017 +0200
Fix out-of-bounds read in tokenize_rfc2047_phrase()
strchr("BbQq", ...) was meant to check for these four characters, but
it returns true also for the null byte.
If a header ended with the "=?<charset>?" sequence, the original code
would read past the terminating null byte.
gmime/gmime-utils.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/gmime/gmime-utils.c b/gmime/gmime-utils.c
index 5046d8c..6661ea6 100644
--- a/gmime/gmime-utils.c
+++ b/gmime/gmime-utils.c
@@ -1526,7 +1526,7 @@ tokenize_rfc2047_phrase (GMimeParserOptions *options, const char *in, size_t *le
}
/* sanity check encoding type */
- if (inptr[0] != '?' || !strchr ("BbQq", inptr[1]) || inptr[2] != '?')
+ if (inptr[0] != '?' || inptr[1] == '\0' || !strchr ("BbQq", inptr[1])
|| inptr[2] != '?')
goto non_rfc2047;
inptr += 3;
@@ -1657,7 +1657,7 @@ tokenize_rfc2047_text (GMimeParserOptions *options, const char *in, size_t *len)
}
/* sanity check encoding type */
- if (inptr[0] != '?' || !strchr ("BbQq", inptr[1]) || inptr[2] != '?')
+ if (inptr[0] != '?' || inptr[1] == '\0' || !strchr ("BbQq", inptr[1])
|| inptr[2] != '?')
goto non_rfc2047;
inptr += 3;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
