Fix base64d() buffer size (CVE-2018-6789)

[exim.git] / src / src / base64.c

diff --git a/src/src/base64.c b/src/src/base64.c
index 031beb923e5a61d741d76d5a6ab1a0e4397d5393..1d84c1e5c34116bbfdf9b137bd26ba19b1f3a1da 100644 (file)
--- a/src/src/base64.c
+++ b/src/src/base64.c
@@ -5,7 +5,7 @@
 /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004, 2015 */
 /* License: GPL */
 
-/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) University of Cambridge 1995 - 2017 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 
@@ -150,12 +150,16 @@ static uschar dec64table[] = {
 };
 
 int
-b64decode(uschar *code, uschar **ptr)
+b64decode(const uschar *code, uschar **ptr)
 {
+
 int x, y;
-uschar *result = store_get(3*(Ustrlen(code)/4) + 1);
+uschar *result;
 
-*ptr = result;
+{
+  int l = Ustrlen(code);
+  *ptr = result = store_get(1 + l/4 * 3 + l%4);
+}
 
 /* Each cycle of the loop handles a quantum of 4 input bytes. For the last
 quantum this may decode to 1, 2, or 3 output bytes. */
@@ -245,7 +249,7 @@ uschar *p = code;
 
 while (len-- >0)
   {
-  register int x, y;
+  int x, y;
 
   x = *clear++;
   *p++ = enc64table[(x >> 2) & 63];