Fix base64d() buffer size (CVE-2018-6789)

Credits for discovering this bug: Meh Chang <meh@devco.re>

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 6e71f1fbb2c2de70ab739127fc12465a46ab4bdf..970ec07329201912a951679a81b5cbfa4b965b08 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 
-Since Exim version 4.90
------------------
+Exim version 4.90.1
+-------------------
 
 JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
       Previously only the last row was returned.
@@ -58,6 +58,8 @@ JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
       was marked defer_ok.  Fix to keep the two timeout-detection methods
       separate.
 
+HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
+
 JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
       metadata, resulting in a crash in free().
 

diff --git a/src/src/base64.c b/src/src/base64.c
index f6f187f075a0f924b6915872af9900e09ba0d580..e58ca6c75b7b68ee0cfc292259f266eb0a69a28a 100644 (file)
--- a/src/src/base64.c
+++ b/src/src/base64.c
@@ -152,10 +152,14 @@ static uschar dec64table[] = {
 int
 b64decode(const uschar *code, uschar **ptr)
 {
+
 int x, y;
-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
+uschar *result;
 
-*ptr = result;
+{
+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4);
+}
 
 /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
 quantum this may decode to 1, 2, or 3 output bytes. */