[cvs] SF.net SVN: bogofilter:[6903] trunk/bogofilter/contrib
Fast Bayesian spam filter along lines suggested by Paul Graham
Brought to you by:
m-a
Menu
▾
▴
[cvs] SF.net SVN: bogofilter:[6903] trunk/bogofilter/contrib
|
From: <m-...@us...> - 2010-07-02 00:22:23
|
Revision: 6903
http://bogofilter.svn.sourceforge.net/bogofilter/?rev=6903&view=rev
Author: m-a
Date: 2010-07-02 00:22:13 +0000 (Fri, 02 Jul 2010)
Log Message:
-----------
Temporarily store Julius Plenz's bugfix.
This may be security relevant, but has already been published, so there is
no point in being secretive any more. -- Matthias 2010-07-02
Added Paths:
-----------
trunk/bogofilter/contrib/incoming/
trunk/bogofilter/contrib/incoming/julius-plenz-fix/
trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch
trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal
Added: trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch
===================================================================
--- trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch (rev 0)
+++ trunk/bogofilter/contrib/incoming/julius-plenz-fix/0001-bugfix-prevent-memory-corruption-in-base64_decode.patch 2010-07-02 00:22:13 UTC (rev 6903)
@@ -0,0 +1,41 @@
+From 192fd9a149b318b87a01ed482fdf913feee1e2b5 Mon Sep 17 00:00:00 2001
+From: Julius Plenz <pl...@ci...>
+Date: Wed, 16 Jun 2010 12:59:19 +0200
+Subject: [PATCH] bugfix: prevent memory corruption in base64_decode
+
+If a string starting with an equal-sign is passed to the base64_decode
+function it triggers a memory corruption that in some cases makes
+bogofilter crash.
+
+If the first character in word->text ist '=', then in base_64.c:50
+`shorten' will be set to 4, the loop ll 59-63 is skipped and the code
+
+ d += 3 - shorten;
+
+will actually rewind the string-pointer d by one, thus causing the
+function to write to a potentially invalid memory area in subsequent
+calls. (Because *d at that point is the first character in the string.)
+---
+ src/base64.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/base64.c b/src/base64.c
+index db72f9e..d20e4d9 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -61,8 +61,10 @@ uint base64_decode(word_t *word)
+ d[i] = c;
+ v = v >> 8;
+ }
+- d += 3 - shorten;
+- count += 3 - shorten;
++ if(shorten != 4) {
++ d += 3 - shorten;
++ count += 3 - shorten;
++ }
+ }
+ /* XXX do we need this NUL byte? */
+ if (word->leng)
+--
+1.7.1
+
Added: trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal
===================================================================
--- trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal (rev 0)
+++ trunk/bogofilter/contrib/incoming/julius-plenz-fix/minimal 2010-07-02 00:22:13 UTC (rev 6903)
@@ -0,0 +1,9 @@
+Content-Type: multipart/mixed;boundary="----bound"
+
+------bound
+Content-Transfer-Encoding: base64
+
+
+=C7ET=DDNERSAVA=DE=20
+------bound
+Content-Type: text/plain; charset="iso-8859-9"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|