From c299c454a967f0e8f2cac2f12eb33234acef7447 Mon Sep 17 00:00:00 2001 From: "Steffen (Daode) Nurpmeso" Date: Mon, 22 Sep 2014 15:42:22 +0200 Subject: [PATCH] Fix QP encoding canary violation (Peter Hofmann).. Peter Hofmann (snailusers AT uninformativ DOT de) reported on s-nail-users@ a crash and analyzed that mime_cte.c: qp_encode_calc_size() doesn't take into account the soft/hard NL pairs that will be injected in case the output spans multiple lines. This patch is based upon his one. --- mime_cte.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/mime_cte.c b/mime_cte.c index 9ed008a5..561de0d9 100644 --- a/mime_cte.c +++ b/mime_cte.c @@ -330,9 +330,21 @@ mime_cte_mustquote(char const *ln, size_t lnlen, bool_t ishead) FL size_t qp_encode_calc_size(size_t len) { + size_t i; NYD_ENTER; - /* Worst case: 'CRLF' -> '=0D=0A=\n\0' */ - len = (len * 3) + 1/* soft NL */ + 1/* visual NL */ + 1/* NUL */; + /* The worst case sequence is 'CRLF' -> '=0D=0A=\n\0'. + * However, we must be aware that (a) the output may span multiple lines + * and (b) the input does not end with a newline itself (nonetheless): + * LC_ALL=C PERL5OPT= perl -CS -e 'print "\x{101D0}" x 100' | + * MAILRC=/dev/null LC_ALL=en_US.UTF-8 s-nail -nvvd \ + * -Ssendcharsets=utf8 -s testsub ./LETTER */ + /* TODO This example shows two things: 1. as stated in TODO this must + * TODO be sequentialised! and 2. this shouldn't end up QP-encoded! */ + len *= 3; + i = (len / QP_LINESIZE) + 1; + i <<= 1; /* Double: soft and embedded NL.. */ + ++i; /* \0 */ + len += ++i; /* ..and \0 */ NYD_LEAVE; return len; } -- 2.11.4.GIT