From: Heiko Schlittermann (HS12-RIPE) Date: Mon, 5 Feb 2018 21:23:32 +0000 (+0100) Subject: Fix base64d() buffer size (CVE-2018-6789) X-Git-Tag: exim-4_91_RC1~61 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/cf3cd306062a08969c41a1cdd32c6855f1abecf1?hp=38e3d2dff7982736f1e6833e06d4aab4652f337a Fix base64d() buffer size (CVE-2018-6789) Credits for discovering this bug: Meh Chang (cherry picked from commit 062990cc1b2f9e5d82a413b53c8f0569075de700) --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 1ee00168f..8ae418ab1 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. -Exim version 4.91 ------------------ +Since Exim version 4.90 +----------------------- JH/01 Replace the store_release() internal interface with store_newblock(), which internalises the check required to safely use the old one, plus @@ -82,6 +82,8 @@ JH/15 Relax results from ACL control request to enable cutthrough, in ignoring. This covers use with PRDR, frozen messages, queue-only and fake-reject. +HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) + JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). diff --git a/src/src/base64.c b/src/src/base64.c index ae6874b8a..1d84c1e5c 100644 --- a/src/src/base64.c +++ b/src/src/base64.c @@ -152,10 +152,14 @@ static uschar dec64table[] = { int b64decode(const uschar *code, uschar **ptr) { + int x, y; -uschar *result = store_get(3*(Ustrlen(code)/4) + 1); +uschar *result; -*ptr = result; +{ + int l = Ustrlen(code); + *ptr = result = store_get(1 + l/4 * 3 + l%4); +} /* Each cycle of the loop handles a quantum of 4 input bytes. For the last quantum this may decode to 1, 2, or 3 output bytes. */