CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

Based on Phil Pennock's commit 76a1ce77. Modified by Qualys. (cherry picked from commit f218fef171cbe9e61d10f15399aab8fa6956535b)
author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2021-04-12 23:05:44 +0200
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2021-04-28 00:40:50 +0200
commit: 8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46 (patch)
tree: cf0f43f1649b5a4ce200cad9747756552bd2a157
parent: c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210 (diff)
download: exim4-8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/src/src/parse.c b/src/src/parse.c
index 32b42cd29..086b010c3 100644
--- a/src/src/parse.c
+++ b/src/src/parse.c
@@ -979,12 +979,12 @@ if (i < len)
 
 /* No non-printers; use the RFC 822 quoting rules */
 
-if (!len)
+if (len <= 0 || len >= INT_MAX/4)
   {
-  return string_copy_taint(US"", is_tainted(phrase));
+  return string_copy_taint(CUS"", is_tainted(phrase));
   }
 
-buffer = store_get(len*4, is_tainted(phrase));
+buffer = store_get((len+1)*4, is_tainted(phrase));
 
 s = phrase;
 end = s + len;
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2021-04-12 23:05:44 +0200
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2021-04-28 00:40:50 +0200
commit	8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46 (patch)
tree	cf0f43f1649b5a4ce200cad9747756552bd2a157
parent	c5f2f5cf2a6b45ae7ba0ed15e04fbe014727b210 (diff)
download	exim4-8b1e9bc2cac17ee24d595c97dcf97d9b016f8a46.tar.gz