git://git.exim.org / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 55ab0c2)
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Mon, 12 Apr 2021 21:05:44 +0000 (23:05 +0200)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Thu, 27 May 2021 19:30:57 +0000 (21:30 +0200)
Based on Phil Pennock's commit 76a1ce77.
Modified by Qualys.

(cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)
(cherry picked from commit 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46)

src/src/parse.c patch | blob | history

diff --git a/src/src/parse.c b/src/src/parse.c
index e0470c86f51236265d9ba67b671e420c34b77112..fa339520624f51bb091be5a8cb216b556c669f40 100644 (file)
--- a/src/src/parse.c
+++ b/src/src/parse.c
@@ -984,12 +984,12 @@ if (i < len)
 
 /* No non-printers; use the RFC 822 quoting rules */
 
-if (!len)
+if (len <= 0 || len >= INT_MAX/4)
   {
-  return string_copy_taint(US"", is_tainted(phrase));
+  return string_copy_taint(CUS"", is_tainted(phrase));
   }
 
-buffer = store_get(len*4, is_tainted(phrase));
+buffer = store_get((len+1)*4, is_tainted(phrase));
 
 s = phrase;
 end = s + len;
Master Exim source repository