From cf3cd306062a08969c41a1cdd32c6855f1abecf1 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Mon, 5 Feb 2018 22:23:32 +0100 Subject: [PATCH] Fix base64d() buffer size (CVE-2018-6789) Credits for discovering this bug: Meh Chang (cherry picked from commit 062990cc1b2f9e5d82a413b53c8f0569075de700) --- doc/doc-txt/ChangeLog | 6 ++++-- src/src/base64.c | 8 ++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 1ee00168f..8ae418ab1 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. -Exim version 4.91 ------------------ +Since Exim version 4.90 +----------------------- JH/01 Replace the store_release() internal interface with store_newblock(), which internalises the check required to safely use the old one, plus @@ -82,6 +82,8 @@ JH/15 Relax results from ACL control request to enable cutthrough, in ignoring. This covers use with PRDR, frozen messages, queue-only and fake-reject. +HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) + JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). diff --git a/src/src/base64.c b/src/src/base64.c index ae6874b8a..1d84c1e5c 100644 --- a/src/src/base64.c +++ b/src/src/base64.c @@ -152,10 +152,14 @@ static uschar dec64table[] = { int b64decode(const uschar *code, uschar **ptr) { + int x, y; -uschar *result = store_get(3*(Ustrlen(code)/4) + 1); +uschar *result; -*ptr = result; +{ + int l = Ustrlen(code); + *ptr = result = store_get(1 + l/4 * 3 + l%4); +} /* Each cycle of the loop handles a quantum of 4 input bytes. For the last quantum this may decode to 1, 2, or 3 output bytes. */ -- 2.30.2