Fix base64d() buffer size (CVE-2018-6789)

Credits for discovering this bug: Meh Chang <meh@devco.re> (cherry picked from commit 062990cc1b2f9e5d82a413b53c8f0569075de700)
author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2018-02-05 22:23:32 +0100
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2018-02-10 21:55:13 +0100
commit: cf3cd306062a08969c41a1cdd32c6855f1abecf1 (patch)
tree: 3de2ffd314a4419b2516348b88eaadf875584f75 /src
parent: 38e3d2dff7982736f1e6833e06d4aab4652f337a (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/src/base64.c b/src/src/base64.c
index ae6874b8a..1d84c1e5c 100644
--- a/src/src/base64.c
+++ b/src/src/base64.c
@@ -152,10 +152,14 @@ static uschar dec64table[] = {
 int
 b64decode(const uschar *code, uschar **ptr)
 {
+
 int x, y;
-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
+uschar *result;
 
-*ptr = result;
+{
+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4);
+}
 
 /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
 quantum this may decode to 1, 2, or 3 output bytes. */
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2018-02-05 22:23:32 +0100
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2018-02-10 21:55:13 +0100
commit	cf3cd306062a08969c41a1cdd32c6855f1abecf1 (patch)
tree	3de2ffd314a4419b2516348b88eaadf875584f75 /src
parent	38e3d2dff7982736f1e6833e06d4aab4652f337a (diff)