[Fix] Fix out-of-bound read in qp decode

diff --git a/src/libutil/str_util.c b/src/libutil/str_util.c
index 91199aec10e2cb777a87b3f5a07cab3c5fd7e94a..f5cd8be1a1dbd2207f09cebf1cc799c3d126e76a 100644 (file)
--- a/src/libutil/str_util.c
+++ b/src/libutil/str_util.c
@@ -2088,6 +2088,10 @@ rspamd_decode_qp_buf (const gchar *in, gsize inlen,
                                if (end - o > 0) {
                                        *o++ = *p;
                                }
+                               else {
+                                       /* Buffer overflow */
+                                       return (-1);
+                               }
 
                                break;
                        }
@@ -2149,9 +2153,29 @@ decode:
                                        processed = pos - o;
                                        remain -= processed;
                                        p += processed;
-                                       o = pos - 1;
-                                       /* Skip comparison, as we know that we have found match */
-                                       goto decode;
+
+                                       if (remain > 0) {
+                                               o = pos - 1;
+                                               /*
+                                                * Skip comparison and jump inside decode branch,
+                                                * as we know that we have found match
+                                                */
+                                               goto decode;
+                                       }
+                                       else {
+                                               /* Last '=' character, bugon */
+                                               o = pos;
+
+                                               if (end - o > 0) {
+                                                       *o = '=';
+                                               }
+                                               else {
+                                                       /* Buffer overflow */
+                                                       return (-1);
+                                               }
+
+                                               break;
+                                       }
                                }
                        }
                        else {

diff --git a/test/lua/unit/quoted_printable.lua b/test/lua/unit/quoted_printable.lua
index 50d357ea0e8b34055ebf2ca72cd3e9bbe3f4009e..cf667f8d44cafdca763119fbb477c107f66a1a5f 100644 (file)
--- a/test/lua/unit/quoted_printable.lua
+++ b/test/lua/unit/quoted_printable.lua
@@ -95,6 +95,24 @@ context("Quoted-Printable encoding", function()
       assert_rspamd_eq(res)
     end)
   end
+  -- Decode issues
+  cases = {
+    {
+      'Mailscape External Mail Flow Outbound Test=',
+      'Mailscape External Mail Flow Outbound Test=',
+      'asan found'
+    },
+  }
+
+  for _,c in ipairs(cases) do
+    test("QP decoding test case: " .. c[3], function()
+      local res = {
+        expect = c[2],
+        actual = tostring(rspamd_util.decode_qp(c[1]))
+      }
+      assert_rspamd_eq(res)
+    end)
+  end
 
   -- Fuzz testing
   local charset = {}
@@ -109,7 +127,6 @@ context("Quoted-Printable encoding", function()
     end
   end
 
-
   for _,l in ipairs({10, 100, 1000, 10000}) do
     test("QP fuzz test max length " .. tostring(l), function()
       for _=1,100 do