Mercurial > dovecot > core-2.2
changeset 21215:fd41125c93b0
lib-mail: Fix assert-crash in mail_html2text_more() with invalid input.
parse_data() continues forward thinking that it might have valid input,
until it has enough data and realizes that there's nothing valid. This
triggers:
Panic: file mail-html2text.c: line 312 (mail_html2text_more): assertion failed: (pos >= buf_orig_size)
| author | Timo Sirainen <timo.sirainen@dovecot.fi> |
|---|---|
| date | Tue, 22 Nov 2016 18:33:12 +0200 |
| parents | 06a5d5c99adb |
| children | 3f2fdf9a5111 |
| files | src/lib-mail/mail-html2text.c src/lib-mail/test-mail-html2text.c |
| diffstat | 2 files changed, 13 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-mail/mail-html2text.c Sat Nov 19 02:32:21 2016 +0200 +++ b/src/lib-mail/mail-html2text.c Tue Nov 22 18:33:12 2016 +0200 @@ -307,18 +307,22 @@ buffer_append(ht->input, data, inc_size); pos = parse_data(ht, ht->input->data, ht->input->used, output); - if (pos != 0) { - /* we parsed forward */ - i_assert(pos >= buf_orig_size); - data += pos - buf_orig_size; - size -= pos - buf_orig_size; - buffer_set_used_size(ht->input, 0); - } else { + if (pos == 0) { /* we need to add more data into buffer */ data += inc_size; size -= inc_size; if (size == 0) return; + } else if (pos >= buf_orig_size) { + /* we parsed forward */ + data += pos - buf_orig_size; + size -= pos - buf_orig_size; + buffer_set_used_size(ht->input, 0); + } else { + /* invalid input - eat away what we parsed so far + and retry */ + buffer_set_used_size(ht->input, buf_orig_size); + buffer_delete(ht->input, 0, pos); } } pos = parse_data(ht, data, size, output);
--- a/src/lib-mail/test-mail-html2text.c Sat Nov 19 02:32:21 2016 +0200 +++ b/src/lib-mail/test-mail-html2text.c Tue Nov 22 18:33:12 2016 +0200 @@ -10,6 +10,8 @@ const char *input; const char *output; } tests[] = { + { "&&aaaaaaaaaa", "" }, + { "a&<♣>b", "a&<\xE2\x99\xA3>b" }, { "&", "" },