diff options
| -rw-r--r-- | src/common.c | 4 | ||||
| -rw-r--r-- | src/rfc2388.c | 7 | ||||
| -rw-r--r-- | src/sliding_buffer.c | 7 |
3 files changed, 15 insertions, 3 deletions
diff --git a/src/common.c b/src/common.c index 168a682..ecb0278 100644 --- a/src/common.c +++ b/src/common.c @@ -256,6 +256,10 @@ buffer_add (buffer_t * buf, const void *data, unsigned long size) } index = buf->ptr - buf->data; buf->data = realloc (buf->data, newsize); + if ( buf->data == NULL ) + { + die_with_message ( NULL, NULL, 'Memory allocation error'); + } buf->limit = buf->data + newsize; buf->ptr = buf->data + index; } diff --git a/src/rfc2388.c b/src/rfc2388.c index 32c21df..600e11b 100644 --- a/src/rfc2388.c +++ b/src/rfc2388.c @@ -137,7 +137,7 @@ mime_tag_add (mime_var_t * obj, char *str) { a += strlen (tag[0]); b = strchr (a, '"'); - if (!obj->name) + if (!obj->name) && ( b ) obj->name = mime_substr (a, b - a); } @@ -146,7 +146,7 @@ mime_tag_add (mime_var_t * obj, char *str) { a += strlen (tag[1]); b = strchr (a, '"'); - if (!obj->filename) + if (!obj->filename) && ( b ) obj->filename = mime_substr (a, b - a); } @@ -399,6 +399,9 @@ rfc2388_handler (list_t * env) buffer_t buf; mime_var_t var; + /* prevent a potential unitialized free() - ISE-TPS-2014-008 */ + var.name = NULL; + /* get the boundary info */ str = getenv ("CONTENT_TYPE"); i = strlen (str) - 9; diff --git a/src/sliding_buffer.c b/src/sliding_buffer.c index f93ebe0..be4ea88 100644 --- a/src/sliding_buffer.c +++ b/src/sliding_buffer.c @@ -1,5 +1,5 @@ /* -------------------------------------------------------------------------- - * Copyright 2003-2011 (inclusive) Nathan Angelacos + * Copyright 2003-2014 (inclusive) Nathan Angelacos * (nangel@users.sourceforge.net) * * This file is part of haserl. @@ -128,6 +128,11 @@ s_buffer_read (sliding_buffer_t * sbuf, char *matchstr) */ pos = 0; len = sbuf->bufsize - (int) (sbuf->ptr - sbuf->buf) - strlen (matchstr); + /* On a short read or very long matchstr, its possible to force len < 0 - That is bad. */ + if ( len < 0 ) i + { + die_with_message ( NULL, NULL, 'Short Read or MIME decode failure' ); + } while (memcmp (matchstr, sbuf->ptr + pos, strlen (matchstr)) && (pos < len)) { pos++; |