From 8584d194370dd20b2679e28d94fab2d64fe28c2a Mon Sep 17 00:00:00 2001 From: CaS Date: Tue, 24 Feb 2004 14:14:26 +0000 Subject: [PATCH] Buffer overflow fixes. git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@18645 72102866-910b-0410-8b05-ffd578937521 --- ChangeLog | 2 ++ Source/Additions/GSMime.m | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1f4efae9a..d6fdcade4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ * Source/GSFormat.m: Fix buffer overrun by strlen() when printing c-strings without nul terminators using '%*.*s' format. + * Source/Additions/GSMime.m: Fix cases of possible access beyond buffer + and rare overflow writing decoded base64 data. 2004-02-23 Adam Fedor diff --git a/Source/Additions/GSMime.m b/Source/Additions/GSMime.m index ffde169d3..8b998b62e 100644 --- a/Source/Additions/GSMime.m +++ b/Source/Additions/GSMime.m @@ -85,8 +85,8 @@ encodebase64(char *dst, const unsigned char *src, int length) for (sIndex = 0; sIndex < length; sIndex += 3) { int c0 = src[sIndex]; - int c1 = src[sIndex+1]; - int c2 = src[sIndex+2]; + int c1 = (sIndex+1 < length) ? src[sIndex+1] : 0; + int c2 = (sIndex+2 < length) ? src[sIndex+2] : 0; dst[dIndex++] = b64[(c0 >> 2) & 077]; dst[dIndex++] = b64[((c0 << 4) & 060) | ((c1 >> 4) & 017)]; @@ -3183,7 +3183,7 @@ static NSCharacterSet *tokenSet = nil; result = (unsigned char*)NSZoneMalloc(NSDefaultMallocZone(), declen); dst = result; - while (*src && (src != end)) + while ((src != end) && *src != '\0') { int c = *src++; @@ -3237,11 +3237,18 @@ static NSCharacterSet *tokenSet = nil; unsigned i; for (i = pos; i < 4; i++) - buf[i] = '\0'; + { + buf[i] = '\0'; + } pos--; + if (pos > 0) + { + unsigned char tail[3]; + decodebase64(tail, buf); + memcpy(dst, tail, pos); + dst += pos; + } } - decodebase64(dst, buf); - dst += pos; return AUTORELEASE([[NSData allocWithZone: NSDefaultMallocZone()] initWithBytesNoCopy: result length: dst - result]); }