diff options
author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-12 23:05:44 +0200 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:50 +0200 |
commit | 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46 (patch) | |
tree | cf0f43f1649b5a4ce200cad9747756552bd2a157 | |
parent | c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210 (diff) | |
download | exim4-8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46.tar.gz |
CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
Based on Phil Pennock's commit 76a1ce77.
Modified by Qualys.
(cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)
-rw-r--r-- | src/src/parse.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/src/parse.c b/src/src/parse.c index 32b42cd29..086b010c3 100644 --- a/src/src/parse.c +++ b/src/src/parse.c @@ -979,12 +979,12 @@ if (i < len) /* No non-printers; use the RFC 822 quoting rules */ -if (!len) +if (len <= 0 || len >= INT_MAX/4) { - return string_copy_taint(US"", is_tainted(phrase)); + return string_copy_taint(CUS"", is_tainted(phrase)); } -buffer = store_get(len*4, is_tainted(phrase)); +buffer = store_get((len+1)*4, is_tainted(phrase)); s = phrase; end = s + len; |