Fix rfc2047 decoding buffer overflow

If the rfc2047_decode_word() function fails, only the failed word is
copied into the output.

In the previous version, the rest of the header was copied as well,
which resulted in repetition in the output. This repetition, combined
with the lack of checking the length of the output buffer, could have
led to writing outside the allocated memory.

diff --git a/charset.c b/charset.c
index c80ce9e0dfbbb2b5e9bbb4b958e227b1d40774e6..d32a414eead4eacb54fafccc4822931d1b46f640 100644 (file)
--- a/charset.c
+++ b/charset.c
@@ -363,7 +363,12 @@ static void rfc2047_decode (char **pd)
     }
 
     if (rfc2047_decode_word (d, p, dlen) < 0)
-      strcpy(d, p);
+    {
+      n = q - p;
+      if (n > dlen)
+       n = dlen;
+      memcpy (d, p, n);
+    }
     found_encoded = 1;
     s = q;
     n = strlen (d);