From 515a643a86d443e28442dc0e41640483b7671f0c Mon Sep 17 00:00:00 2001 From: Jan Hadrava Date: Sun, 10 Sep 2023 01:00:27 +0200 Subject: [PATCH 1/1] Fix rfc2047 decoding buffer overflow If the rfc2047_decode_word() function fails, only the failed word is copied into the output. In the previous version, the rest of the header was copied as well, which resulted in repetition in the output. This repetition, combined with the lack of checking the length of the output buffer, could have led to writing outside the allocated memory. --- charset.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/charset.c b/charset.c index c80ce9e..d32a414 100644 --- a/charset.c +++ b/charset.c @@ -363,7 +363,12 @@ static void rfc2047_decode (char **pd) } if (rfc2047_decode_word (d, p, dlen) < 0) - strcpy(d, p); + { + n = q - p; + if (n > dlen) + n = dlen; + memcpy (d, p, n); + } found_encoded = 1; s = q; n = strlen (d); -- 2.39.2