CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Tue, 27 Apr 2021 22:40:50 +0000 (00:40 +0200)
author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Tue, 27 Apr 2021 22:40:50 +0000 (00:40 +0200)
diff --git a/src/src/parse.c b/src/src/parse.c

index 32b42cd29771e81d50fd450bc9eab4af6c672195..086b010c3f2675f0ae7c5ffdefe0c577e45df857 100644 (file)
--- a/src/src/parse.c
+++ b/src/src/parse.c
@@ -979,12 +979,12 @@ if (i < len)
  
  /* No non-printers; use the RFC 822 quoting rules */
  
-if (!len)
+if (len <= 0 || len >= INT_MAX/4)
    {
-  return string_copy_taint(US"", is_tainted(phrase));
+  return string_copy_taint(CUS"", is_tainted(phrase));
    }
  
-buffer = store_get(len*4, is_tainted(phrase));
+buffer = store_get((len+1)*4, is_tainted(phrase));
  
  s = phrase;
  end = s + len;
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Tue, 27 Apr 2021 22:40:50 +0000 (00:40 +0200)