38 lines
1.5 KiB
Diff
38 lines
1.5 KiB
Diff
From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001
|
|
From: Steven Morgan <stevmorg@cisco.com>
|
|
Date: Thu, 2 Mar 2017 14:41:20 -0500
|
|
Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file.
|
|
|
|
---
|
|
libclamav/message.c | 10 +++++++---
|
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libclamav/message.c b/libclamav/message.c
|
|
index b5cf0ddc7..36bbf417d 100644
|
|
--- a/libclamav/message.c
|
|
+++ b/libclamav/message.c
|
|
@@ -445,8 +445,12 @@ messageAddArgument(message *m, const char *arg)
|
|
* FIXME: Bounce message handling is corrupting the in
|
|
* core copies of headers
|
|
*/
|
|
- cli_dbgmsg("Possible data corruption fixed\n");
|
|
- p[8] = '=';
|
|
+ if (strlen(p) > 8) {
|
|
+ cli_dbgmsg("Possible data corruption fixed\n");
|
|
+ p[8] = '=';
|
|
+ } else {
|
|
+ cli_dbgmsg("Possible data corruption not fixed\n");
|
|
+ }
|
|
} else {
|
|
if(*p)
|
|
cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p);
|
|
@@ -682,7 +686,7 @@ messageFindArgument(const message *m, const char *variable)
|
|
cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i));
|
|
return NULL;
|
|
}
|
|
- if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
|
|
+ if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
|
|
/* Remove any quote characters */
|
|
char *ret = cli_strdup(++ptr);
|
|
char *p;
|