1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
|
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 3 Sep 2023 14:11:48 +0800
Subject: Fix write_one_header() illegal header check.
Origin: https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0
Bug-Debian: https://bugs.debian.org/1051563
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-4874
This is another crash caused by the rfc2047 decoding bug fixed in the
second prior commit.
In this case, an empty header line followed by a header line starting
with ":", would result in t==end.
The mutt_substrdup() further below would go very badly at that point,
with t >= end+1. This could result in either a memcpy onto NULL or a
huge malloc call.
Thanks to Chenyuan Mi (@morningbread) for giving a working example
draft message of the rfc2047 decoding flaw. This allowed me, with
further testing, to discover this additional crash bug.
---
sendlib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sendlib.c b/sendlib.c
index 763bff4117f2..204b13085227 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
else
{
t = strchr (start, ':');
- if (!t || t > end)
+ if (!t || t >= end)
{
dprint (1, (debugfile, "mwoh: warning: header not in "
"'key: value' format!\n"));
--
2.40.1
|