From: Heiko Schlittermann (HS12-RIPE) Date: Mon, 5 Feb 2018 21:23:32 +0000 (+0100) Subject: Fix base64d() buffer size (CVE-2018-6789) X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/062990cc1b2f9e5d82a413b53c8f0569075de700 Fix base64d() buffer size (CVE-2018-6789) Credits for discovering this bug: Meh Chang --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 6e71f1fbb..970ec0732 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. -Since Exim version 4.90 ------------------ +Exim version 4.90.1 +------------------- JH/03 Fix pgsql lookup for multiple result-tuples with a single column. Previously only the last row was returned. @@ -58,6 +58,8 @@ JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as was marked defer_ok. Fix to keep the two timeout-detection methods separate. +HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) + JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). diff --git a/src/src/base64.c b/src/src/base64.c index f6f187f07..e58ca6c75 100644 --- a/src/src/base64.c +++ b/src/src/base64.c @@ -152,10 +152,14 @@ static uschar dec64table[] = { int b64decode(const uschar *code, uschar **ptr) { + int x, y; -uschar *result = store_get(3*(Ustrlen(code)/4) + 1); +uschar *result; -*ptr = result; +{ + int l = Ustrlen(code); + *ptr = result = store_get(1 + l/4 * 3 + l%4); +} /* Each cycle of the loop handles a quantum of 4 input bytes. For the last quantum this may decode to 1, 2, or 3 output bytes. */