From bd194948067c876eafecd9723ae7c544099fb9e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Enrique=20J=2E=20Hern=C3=A1ndez=20Blasco?= Date: Mon, 24 Nov 2014 23:50:45 +0100 Subject: [PATCH] Fix crash when decoding a = at end of the data In decoding a quoted printable mail. There is a buffer overflow as we are always parsing two bytes instead of one. See the full backtrace at: https://gist.github.com/sixstone-qq/cb8099b66c2911e8aaf2 This patch avoid regressions to manage = at the end of the source. --- sope-core/NGExtensions/NGQuotedPrintableCoding.m | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sope-core/NGExtensions/NGQuotedPrintableCoding.m b/sope-core/NGExtensions/NGQuotedPrintableCoding.m index f97a331aa..ff3ff33b7 100644 --- a/sope-core/NGExtensions/NGQuotedPrintableCoding.m +++ b/sope-core/NGExtensions/NGQuotedPrintableCoding.m @@ -147,17 +147,21 @@ int NGDecodeQuotedPrintableX(const char *_src, unsigned _srcLen, destCnt++; } else { - if ((_srcLen - cnt) > 2) { + if ((_srcLen - cnt) > 1) { signed char c1, c2; cnt++; // skip '=' c1 = _src[cnt]; // first hex digit if (c1 == '\r' || c1 == '\n') { - if (_src[cnt + 1] == '\r' || _src[cnt + 1] == '\n' ) + if (cnt < _srcLen && (_src[cnt + 1] == '\r' || _src[cnt + 1] == '\n' )) cnt++; continue; } + + if (cnt == _srcLen) /* We have reached the end of the _src */ + break; + c1 = __hexToChar(c1); cnt++; // skip first hex digit