From 1a1f01ecf9bf4521386905df87f2253a78e4ddc9 Mon Sep 17 00:00:00 2001
From: Christian Neukirchen <chneukirchen@gmail.com>
Date: Thu, 14 Jul 2016 17:43:09 +0200
Subject: rfc2047: blaze822_decode_qp: check bounds

---
 rfc2047.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'rfc2047.c')

diff --git a/rfc2047.c b/rfc2047.c
index 2b9dfc0..ed39084 100644
--- a/rfc2047.c
+++ b/rfc2047.c
@@ -38,8 +38,12 @@ blaze822_decode_qp(char *start, char *stop, char **deco, size_t *decleno)
 		if (*s == '=' && s[1] == '\n') {
 			s += 2;
 		} else if (*s == '=' && s+2 < stop) {
-			*buf++ = (hex[s[1]] << 4) | hex[s[2]];
+			unsigned char c1 = s[1];
+			unsigned char c2 = s[2];
 			s += 3;
+			if (c1 > 127 || c2 > 127 || hex[c1] < 0 || hex[c2] < 0)
+				continue;
+			*buf++ = (hex[c1] << 4) | hex[c2];
 		} else if (*s == '_') {
 			*buf++ = ' ';
 			s++;
-- 
cgit 1.4.1