File CVE-2018-6789.patch of Package exim.7804

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-6789.patch of Package exim.7804

From 062990cc1b2f9e5d82a413b53c8f0569075de700 Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Mon, 5 Feb 2018 22:23:32 +0100
Subject: [PATCH] Fix base64d() buffer size (CVE-2018-6789)

Credits for discovering this bug: Meh Chang <meh@devco.re>

---
Upstream: merged
References: f4d091fbe1f4cc0a6a7c11c174eaca32402290ec

Backported from 4.90.1. The code has moved/consolidated, but the
affected lines are still present.
---
 src/auths/b64decode.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Index: exim-4.86.2/src/auths/b64decode.c
===================================================================
--- exim-4.86.2.orig/src/auths/b64decode.c
+++ exim-4.86.2/src/auths/b64decode.c
@@ -42,10 +42,14 @@ static uschar dec64table[] = {
 int
 auth_b64decode(uschar *code, uschar **ptr)
 {
+
 register int x, y;
-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
+uschar *result;
 
-*ptr = result;
+{
+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4);
+}
 
 /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
 quantum this may decode to 1, 2, or 3 output bytes. */

Places

File CVE-2018-6789.patch of Package exim.7804

Places