Buffer overflow fixes.

git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@18645 72102866-910b-0410-8b05-ffd578937521
2025-04-22 16:33:29 +00:00 · 2004-02-24 14:14:26 +00:00 · 2004-02-24 14:14:26 +00:00 · b4a4e78ab9
commit b4a4e78ab9
parent cd863fed81
2 changed files with 15 additions and 6 deletions
--- a/2
+++ b/2
@ -2,6 +2,8 @@

 	* Source/GSFormat.m: Fix buffer overrun by strlen() when printing
 	c-strings without nul terminators using '%*.*s' format.
+	* Source/Additions/GSMime.m: Fix cases of possible access beyond buffer
+	and rare overflow writing decoded base64 data.

 2004-02-23  Adam Fedor  <fedor@gnu.org>

--- a/Source/Additions/GSMime.m
+++ b/Source/Additions/GSMime.m
@ -85,8 +85,8 @@ encodebase64(char *dst, const unsigned char *src, int length)
  for (sIndex = 0; sIndex < length; sIndex += 3)
    {
      int	c0 = src[sIndex];
-      int	c1 = src[sIndex+1];
-      int	c2 = src[sIndex+2];
+      int	c1 = (sIndex+1 < length) ? src[sIndex+1] : 0;
+      int	c2 = (sIndex+2 < length) ? src[sIndex+2] : 0;

      dst[dIndex++] = b64[(c0 >> 2) & 077];
      dst[dIndex++] = b64[((c0 << 4) & 060) | ((c1 >> 4) & 017)];
@ -3183,7 +3183,7 @@ static NSCharacterSet	*tokenSet = nil;
  result = (unsigned char*)NSZoneMalloc(NSDefaultMallocZone(), declen);
  dst = result;

-  while (*src && (src != end))
+  while ((src != end) && *src != '\0')
    {
      int	c = *src++;

@ -3237,11 +3237,18 @@ static NSCharacterSet	*tokenSet = nil;
      unsigned	i;

      for (i = pos; i < 4; i++)
-	buf[i] = '\0';
+	{
+	  buf[i] = '\0';
+	}
      pos--;
+      if (pos > 0)
+	{
+	  unsigned char	tail[3];
+	  decodebase64(tail, buf);
+	  memcpy(dst, tail, pos);
+	  dst += pos;
+	}
    }
-  decodebase64(dst, buf);
-  dst += pos;
  return AUTORELEASE([[NSData allocWithZone: NSDefaultMallocZone()]
    initWithBytesNoCopy: result length: dst - result]);
 }