summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-txt/ChangeLog6
-rw-r--r--src/src/base64.c8
2 files changed, 10 insertions, 4 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 1ee00168f..8ae418ab1 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -5,8 +5,8 @@ affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
-Exim version 4.91
------------------
+Since Exim version 4.90
+-----------------------
JH/01 Replace the store_release() internal interface with store_newblock(),
which internalises the check required to safely use the old one, plus
@@ -82,6 +82,8 @@ JH/15 Relax results from ACL control request to enable cutthrough, in
ignoring. This covers use with PRDR, frozen messages, queue-only and
fake-reject.
+HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
+
JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
diff --git a/src/src/base64.c b/src/src/base64.c
index ae6874b8a..1d84c1e5c 100644
--- a/src/src/base64.c
+++ b/src/src/base64.c
@@ -152,10 +152,14 @@ static uschar dec64table[] = {
int
b64decode(const uschar *code, uschar **ptr)
{
+
int x, y;
-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
+uschar *result;
-*ptr = result;
+{
+ int l = Ustrlen(code);
+ *ptr = result = store_get(1 + l/4 * 3 + l%4);
+}
/* Each cycle of the loop handles a quantum of 4 input bytes. For the last
quantum this may decode to 1, 2, or 3 output bytes. */