diff options
-rw-r--r-- | doc/doc-txt/ChangeLog | 6 | ||||
-rw-r--r-- | src/src/base64.c | 8 |
2 files changed, 10 insertions, 4 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 1ee00168f..8ae418ab1 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. -Exim version 4.91 ------------------ +Since Exim version 4.90 +----------------------- JH/01 Replace the store_release() internal interface with store_newblock(), which internalises the check required to safely use the old one, plus @@ -82,6 +82,8 @@ JH/15 Relax results from ACL control request to enable cutthrough, in ignoring. This covers use with PRDR, frozen messages, queue-only and fake-reject. +HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) + JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc metadata, resulting in a crash in free(). diff --git a/src/src/base64.c b/src/src/base64.c index ae6874b8a..1d84c1e5c 100644 --- a/src/src/base64.c +++ b/src/src/base64.c @@ -152,10 +152,14 @@ static uschar dec64table[] = { int b64decode(const uschar *code, uschar **ptr) { + int x, y; -uschar *result = store_get(3*(Ustrlen(code)/4) + 1); +uschar *result; -*ptr = result; +{ + int l = Ustrlen(code); + *ptr = result = store_get(1 + l/4 * 3 + l%4); +} /* Each cycle of the loop handles a quantum of 4 input bytes. For the last quantum this may decode to 1, 2, or 3 output bytes. */ |