Security audit fix.

svn path=/trunk/; revision=3534
author: Eric S. Raymond <esr@thyrsus.com> 2001-10-03 11:49:04 +0000
committer: Eric S. Raymond <esr@thyrsus.com> 2001-10-03 11:49:04 +0000
commit: 1405a0444d316791af6a473324be754789fb98a1 (patch)
tree: c617c845fd630dcdef6d7a5c607b6ce13f20ed3c /base64.c
parent: b5abbf75ceef070108e4e82218953e74899d7e2b (diff)
download: fetchmail-1405a0444d316791af6a473324be754789fb98a1.tar.gz
fetchmail-1405a0444d316791af6a473324be754789fb98a1.tar.bz2
fetchmail-1405a0444d316791af6a473324be754789fb98a1.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/base64.c b/base64.c
index 1dc533dd..3658e956 100644
--- a/base64.c
+++ b/base64.c
@@ -52,7 +52,7 @@ void to64frombits(unsigned char *out, const unsigned char *in, int inlen)
     *out = '\0';
 }
 
-int from64tobits(char *out, const char *in)
+int from64tobits(char *out, const char *in, int maxlen)
 /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
 {
     int len = 0;
@@ -77,8 +77,10 @@ int from64tobits(char *out, const char *in)
 	if (digit4 != '=' && DECODE64(digit4) == BAD)
 	    return(-1);
 	in += 4;
-	*out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4);
 	++len;
+	if (len && len >= maxlen)	/* prevent buffer overflow */
+	    return(-1);
+	*out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4);
 	if (digit3 != '=')
 	{
 	    *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2);
author	Eric S. Raymond <esr@thyrsus.com>	2001-10-03 11:49:04 +0000
committer	Eric S. Raymond <esr@thyrsus.com>	2001-10-03 11:49:04 +0000
commit	1405a0444d316791af6a473324be754789fb98a1 (patch)
tree	c617c845fd630dcdef6d7a5c607b6ce13f20ed3c /base64.c
parent	b5abbf75ceef070108e4e82218953e74899d7e2b (diff)
download	fetchmail-1405a0444d316791af6a473324be754789fb98a1.tar.gz fetchmail-1405a0444d316791af6a473324be754789fb98a1.tar.bz2 fetchmail-1405a0444d316791af6a473324be754789fb98a1.zip