[exim-cvs] CVE-2020-28016: Heap out-of-bounds write in pars…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
Gitweb: https://git.exim.org/exim.git/commitdiff/f83d4a2b3fedd9a8a0e7367db82a68a719f08e30
Commit:     f83d4a2b3fedd9a8a0e7367db82a68a719f08e30
Parent:     55ab0c211c3e0def1016971d3b3ebd47c006a751
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Apr 12 23:05:44 2021 +0200
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:57 2021 +0200


    CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()


    Based on Phil Pennock's commit 76a1ce77.
    Modified by Qualys.


    (cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)
    (cherry picked from commit 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46)
---
 src/src/parse.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)


diff --git a/src/src/parse.c b/src/src/parse.c
index e0470c8..fa33952 100644
--- a/src/src/parse.c
+++ b/src/src/parse.c
@@ -984,12 +984,12 @@ if (i < len)

/* No non-printers; use the RFC 822 quoting rules */

-if (!len)
+if (len <= 0 || len >= INT_MAX/4)
{
- return string_copy_taint(US"", is_tainted(phrase));
+ return string_copy_taint(CUS"", is_tainted(phrase));
}

-buffer = store_get(len*4, is_tainted(phrase));
+buffer = store_get((len+1)*4, is_tainted(phrase));

s = phrase;
end = s + len;