From a34ea4fe74eed37c3550cb0ead159c85beba7090 Mon Sep 17 00:00:00 2001
From: Nathan Angelacos <nangel@alpinelinux.org>
Date: Sat, 7 Jun 2014 18:28:55 +0000
Subject: Fix vulnerabilites based on email:   [ISE-TPS-2014-008] Heap Overflow
 Vulnerability in Haserl 0.9.32

---
 src/common.c         | 4 ++++
 src/rfc2388.c        | 7 +++++--
 src/sliding_buffer.c | 7 ++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/common.c b/src/common.c
index 168a682..ecb0278 100644
--- a/src/common.c
+++ b/src/common.c
@@ -256,6 +256,10 @@ buffer_add (buffer_t * buf, const void *data, unsigned long size)
 	}
       index = buf->ptr - buf->data;
       buf->data = realloc (buf->data, newsize);
+	if ( buf->data == NULL ) 
+          {
+	   die_with_message ( NULL, NULL, 'Memory allocation error');
+          }
       buf->limit = buf->data + newsize;
       buf->ptr = buf->data + index;
     }
diff --git a/src/rfc2388.c b/src/rfc2388.c
index 32c21df..600e11b 100644
--- a/src/rfc2388.c
+++ b/src/rfc2388.c
@@ -137,7 +137,7 @@ mime_tag_add (mime_var_t * obj, char *str)
     {
       a += strlen (tag[0]);
       b = strchr (a, '"');
-      if (!obj->name)
+      if (!obj->name) && ( b )
 	obj->name = mime_substr (a, b - a);
     }
 
@@ -146,7 +146,7 @@ mime_tag_add (mime_var_t * obj, char *str)
     {
       a += strlen (tag[1]);
       b = strchr (a, '"');
-      if (!obj->filename)
+      if (!obj->filename) && ( b )
 	obj->filename = mime_substr (a, b - a);
     }
 
@@ -399,6 +399,9 @@ rfc2388_handler (list_t * env)
   buffer_t buf;
   mime_var_t var;
 
+  /* prevent a potential unitialized free() - ISE-TPS-2014-008 */
+  var.name = NULL;
+
   /* get the boundary info */
   str = getenv ("CONTENT_TYPE");
   i = strlen (str) - 9;
diff --git a/src/sliding_buffer.c b/src/sliding_buffer.c
index f93ebe0..be4ea88 100644
--- a/src/sliding_buffer.c
+++ b/src/sliding_buffer.c
@@ -1,5 +1,5 @@
 /* --------------------------------------------------------------------------
- * Copyright 2003-2011 (inclusive) Nathan Angelacos 
+ * Copyright 2003-2014 (inclusive) Nathan Angelacos 
  *                   (nangel@users.sourceforge.net)
  * 
  *   This file is part of haserl.
@@ -128,6 +128,11 @@ s_buffer_read (sliding_buffer_t * sbuf, char *matchstr)
    */
   pos = 0;
   len = sbuf->bufsize - (int) (sbuf->ptr - sbuf->buf) - strlen (matchstr);
+  /* On a short read or very long matchstr, its possible to force len < 0 - That is bad. */
+  if ( len < 0 ) i
+    {
+      die_with_message ( NULL, NULL, 'Short Read or MIME decode failure' );
+    }
   while (memcmp (matchstr, sbuf->ptr + pos, strlen (matchstr)) && (pos < len))
     {
       pos++;
-- 
cgit v1.2.3