Project

General

Profile

Actions

Bug #6904

closed

mime: buffer overflow in GetFullValue() (util-decode-mime.c)

Added by Victor Julien 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

static uint8_t *GetFullValue(const DataValue *dv, uint32_t *olen)
{
    uint32_t offset = 0;
    uint8_t *val = NULL;
    uint32_t len = 0;
    *olen = 0;

    /* First calculate total length */
    for (const DataValue *curr = dv; curr != NULL; curr = curr->next) {
[1]        len += curr->value_len;
    }

    /* Must have at least one character in the value */
    if (len > 0) {
[2]        val = SCCalloc(1, len);
        if (unlikely(val == NULL)) {
            return NULL;
        }

        for (const DataValue *curr = dv; curr != NULL; curr = curr->next) {
[3]            memcpy(val + offset, curr->value, curr->value_len);
            offset += curr->value_len;
        }
    }
    *olen = len;
    return val;
}

1 - integer overflow is possible on this line
2 - when 'len' variable overflows, buffer of small size will be allocated
3 - heap overflow on this line

Actions

Also available in: Atom PDF