Overview

File bogofilter-SA-2010-01.diff of Package bogofilter

bugfix: prevent memory corruption in base64_decode

If a string starting with an equal-sign is passed to the base64_decode
function it triggers a memory corruption that in some cases makes
bogofilter crash.

If the first character in word->text ist '=', then in base_64.c:50
`shorten' will be set to 4, the loop ll 59-63 is skipped and the code

    d += 3 - shorten;

will actually rewind the string-pointer d by one, thus causing the
function to write to a potentially invalid memory area in subsequent
calls. (Because *d at that point is the first character in the string.)

Author: Julius Plenz <plenz@cis.fu-berlin.de>

Index: bogofilter/src/base64.c
===================================================================
--- bogofilter/src/base64.c	(Revision 6903)
+++ bogofilter/src/base64.c	(Revision 6904)
@@ -61,9 +61,11 @@
 	    d[i] = c;
 	    v = v >> 8;
 	}
-	d += 3 - shorten;
-	count += 3 - shorten;
+    if(shorten != 4) {
+        d += 3 - shorten;
+        count += 3 - shorten;
     }
+    }
     /* XXX do we need this NUL byte? */
     if (word->leng)
 	*d = (byte) '\0'; /* safe, base64 is always longer than original */
openSUSE Build Service is sponsored by
Places