CVE-2023-4874

From a4752eb0ae0a521eec02e59e51ae5daedf74fda0 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Sun, 3 Sep 2023 14:11:48 +0800 Subject: [PATCH] Fix write_one_header() illegal header check. This is another crash caused by the rfc2047 decoding bug fixed in the second prior commit. In this case, an empty header line followed by a header line starting with ":", would result in t==end. The mutt_substrdup() further below would go very badly at that point, with t >= end+1. This could result in either a memcpy onto NULL or a huge malloc call. Thanks to Chenyuan Mi (@morningbread) for giving a working example draft message of the rfc2047 decoding flaw. This allowed me, with further testing, to discover this additional crash bug. — sendlib.c | 2 ± 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sendlib.c b/sendlib.c index 763bff41…204b1308 100644 — a/sendlib.c +++ b/sendlib.c @@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen, else { t = strchr (start, ‘:’); - if (!t || t > end) + if (!t || t >= end) { dprint (1, (debugfile, "mwoh: warning: header not in " “’key: value’ format!\n”)); – GitLab