On Tue, Jul 17, 2012 at 10:15:51AM -0400, Justin Ferguson wrote: > Surely you guys meant to check that msglen-5 is greater than or equal > to four lest you receive a msg akin to "?OTR:===." ? > > This is a pretty highly utilized code-path with direct hits from > pidgin's receive im signal. Cheers.
Thanks for the report! It turns out your suggested fix isn't quite good enough. Here's the fix we just committed: commit aa8cf9d5e860691943f3fc02ad11432b56c7ae1f Author: Ian Goldberg <[email protected]> Date: Tue Jul 17 13:25:44 2012 -0400 Use ceil instead of floor to compute the size of the data buffer. This prevents a one-byte heap buffer overflow. Thanks to Justin Ferguson <[email protected]> for the report. diff --git a/ChangeLog b/ChangeLog index f12ce68..7f6e9ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2012-07-17 + + * src/b64.c: Use ceil instead of floor to compute the size + of the data buffer. This prevents a one-byte heap buffer + overflow. Thanks to Justin Ferguson <[email protected]> + for the report. + 2012-06-21 * src/context.c: A couple bug fixes. diff --git a/src/b64.c b/src/b64.c index 8ea2e52..9ed3feb 100644 --- a/src/b64.c +++ b/src/b64.c @@ -237,7 +237,7 @@ int otrl_base64_otr_decode(const char *msg, unsigned char ** } /* Base64-decode the message */ - rawlen = ((msglen-5) / 4) * 3; /* maximum possible */ + rawlen = ((msglen-5+3) / 4) * 3; /* maximum possible */ rawmsg = malloc(rawlen); if (!rawmsg && rawlen > 0) { return -1; - Ian _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
