Buffer overflow fixes.

git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@18645 72102866-910b-0410-8b05-ffd578937521

ChangeLog

@@ -2,6 +2,8 @@
 
 	* Source/GSFormat.m: Fix buffer overrun by strlen() when printing
 	c-strings without nul terminators using '%*.*s' format.
+	* Source/Additions/GSMime.m: Fix cases of possible access beyond buffer
+	and rare overflow writing decoded base64 data.
 
 2004-02-23  Adam Fedor  <fedor@gnu.org>
 

Source/Additions/GSMime.m

@@ -85,8 +85,8 @@ encodebase64(char *dst, const unsigned char *src, int length)
   for (sIndex = 0; sIndex < length; sIndex += 3)
     {
       int	c0 = src[sIndex];
-      int	c1 = src[sIndex+1];
+      int	c1 = (sIndex+1 < length) ? src[sIndex+1] : 0;
-      int	c2 = src[sIndex+2];
+      int	c2 = (sIndex+2 < length) ? src[sIndex+2] : 0;
 
       dst[dIndex++] = b64[(c0 >> 2) & 077];
       dst[dIndex++] = b64[((c0 << 4) & 060) | ((c1 >> 4) & 017)];
@@ -3183,7 +3183,7 @@ static NSCharacterSet	*tokenSet = nil;
   result = (unsigned char*)NSZoneMalloc(NSDefaultMallocZone(), declen);
   dst = result;
 
-  while (*src && (src != end))
+  while ((src != end) && *src != '\0')
     {
       int	c = *src++;
 
@@ -3237,11 +3237,18 @@ static NSCharacterSet	*tokenSet = nil;
       unsigned	i;
 
       for (i = pos; i < 4; i++)
-	buf[i] = '\0';
+	{
+	  buf[i] = '\0';
+	}
       pos--;
+      if (pos > 0)
+	{
+	  unsigned char	tail[3];
+	  decodebase64(tail, buf);
+	  memcpy(dst, tail, pos);
+	  dst += pos;
+	}
     }
-  decodebase64(dst, buf);
-  dst += pos;
   return AUTORELEASE([[NSData allocWithZone: NSDefaultMallocZone()]
     initWithBytesNoCopy: result length: dst - result]);
 }