From: Kevin McCarthy <kevin@8t8.us>
Date: Tue, 5 Apr 2022 11:05:52 -0700
Subject: Fix uudecode buffer overflow.
Origin: https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5
Bug: https://gitlab.com/muttmua/mutt/-/issues/404
Bug-Debian: https://bugs.debian.org/1009734
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-1328

mutt_decode_uuencoded() used each line's initial "length character"
without any validation.  It would happily read past the end of the
input line, and with a suitable value even past the length of the
input buffer.

As I noted in ticket 404, there are several other changes that could
be added to make the parser more robust.  However, to avoid
accidentally introducing another bug or regression, I'm restricting
this patch to simply addressing the overflow.

Thanks to Tavis Ormandy for reporting the issue, along with a sample
message demonstrating the problem.
---
 handler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/handler.c b/handler.c
index d1b4bc73a58f..c97cf0cb527e 100644
--- a/handler.c
+++ b/handler.c
@@ -404,9 +404,9 @@ static void mutt_decode_uuencoded (STATE *s, LOFF_T len, int istext, iconv_t cd)
     pt = tmps;
     linelen = decode_byte (*pt);
     pt++;
-    for (c = 0; c < linelen;)
+    for (c = 0; c < linelen && *pt;)
     {
-      for (l = 2; l <= 6; l += 2)
+      for (l = 2; l <= 6 && *pt && *(pt + 1); l += 2)
       {
 	out = decode_byte (*pt) << l;
 	pt++;
-- 
2.35.2