[cvs] SF.net SVN: bogofilter:[6903] trunk/bogofilter/contrib
Fast Bayesian spam filter along lines suggested by Paul Graham
Brought to you by:
m-a
From: <m-...@us...> - 2010-07-02 00:22:23
|
Revision: 6903 http://bogofilter.svn.sourceforge.net/bogofilter/?rev=6903&view=rev Author: m-a Date: 2010-07-02 00:22:13 +0000 (Fri, 02 Jul 2010) Log Message: ----------- Temporarily store Julius Plenz's bugfix. This may be security relevant, but has already been published, so there is no point in being secretive any more. -- Matthias 2010-07-02 Added Paths: ----------- trunk/bogofilter/contrib/incoming/ trunk/bogofilter/contrib/incoming/julius-plenz-fix/ trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal Added: trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch =================================================================== --- trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch (rev 0) +++ trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch 2010-07-02 00:22:13 UTC (rev 6903) @@ -0,0 +1,41 @@ +From 192fd9a149b318b87a01ed482fdf913feee1e2b5 Mon Sep 17 00:00:00 2001 +From: Julius Plenz <pl...@ci...> +Date: Wed, 16 Jun 2010 12:59:19 +0200 +Subject: [PATCH] bugfix: prevent memory corruption in base64_decode + +If a string starting with an equal-sign is passed to the base64_decode +function it triggers a memory corruption that in some cases makes +bogofilter crash. + +If the first character in word->text ist '=', then in base_64.c:50 +`shorten' will be set to 4, the loop ll 59-63 is skipped and the code + + d += 3 - shorten; + +will actually rewind the string-pointer d by one, thus causing the +function to write to a potentially invalid memory area in subsequent +calls. (Because *d at that point is the first character in the string.) +--- + src/base64.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/base64.c b/src/base64.c +index db72f9e..d20e4d9 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -61,8 +61,10 @@ uint base64_decode(word_t *word) + d[i] = c; + v = v >> 8; + } +- d += 3 - shorten; +- count += 3 - shorten; ++ if(shorten != 4) { ++ d += 3 - shorten; ++ count += 3 - shorten; ++ } + } + /* XXX do we need this NUL byte? */ + if (word->leng) +-- +1.7.1 + Added: trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal =================================================================== --- trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal (rev 0) +++ trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal 2010-07-02 00:22:13 UTC (rev 6903) @@ -0,0 +1,9 @@ +Content-Type: multipart/mixed;boundary="----bound" + +------bound +Content-Transfer-Encoding: base64 + + +=C7ET=DDNERSAVA=DE=20 +------bound +Content-Type: text/plain; charset="iso-8859-9" This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |