head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2;
locks; strict;
comment	@# @;


1.2
date	2012.08.14.22.08.09;	author gdt;	state dead;
branches;
next	1.1;

1.1
date	2012.08.09.10.06.47;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to 3.2.1.

(This is a security release, but pkgsrc already had patches from
upstream.)

This version corrects two heap overflows reported by our users:

- A small write overflow, reported by Justin Ferguson
- A large read overflow, reported by Ben Hawkes
@
text
@$NetBSD: patch-CVE-2012-3461-aa,v 1.1 2012/08/09 10:06:47 drochner Exp $

--- src/b64.c.orig	2008-05-27 12:35:28.000000000 +0000
+++ src/b64.c
@@@@ -55,7 +55,7 @@@@ VERSION HISTORY:
 \******************************************************************* */
 
 /* system headers */
-#include <stdlib.h>
+#include <stdio.h>
 #include <string.h>
 
 /* libotr headers */
@@@@ -147,8 +147,9 @@@@ static size_t decode(unsigned char *out,
  * base64 decode data.  Skip non-base64 chars, and terminate at the
  * first '=', or the end of the buffer.
  *
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
- * space.  This function will return the number of bytes actually used.
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
+ * of space.  This function will return the number of bytes actually
+ * used.
  */
 size_t otrl_base64_decode(unsigned char *data, const char *base64data,
 	size_t base64len)
@@@@ -234,13 +235,18 @@@@ int otrl_base64_otr_decode(const char *m
 	return -2;
     }
 
+    /* Skip over the "?OTR:" */
+    otrtag += 5;
+    msglen -= 5;
+
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen);   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
 	return -1;
     }
-    rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5);  /* actual size */
+
+    rawlen = otrl_base64_decode(rawmsg, otrtag, msglen);  /* actual size */
 
     *bufp = rawmsg;
     *lenp = rawlen;
@


1.1
log
@att patches from upstream to fix buffer overflow in the base64
decoder which can lead to crashes or potentially code injection
(CVE-2012-3461)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@