From ba6b44f6745b14dce414761a8e4b35d31b176bba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 20 Oct 2017 15:15:47 +0200
Subject: Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/retr.c (fd_read_body): Stop processing on negative chunk size

Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
---
 src/retr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/retr.c b/src/retr.c
index c1bc600..6555ed4 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
               remaining_chunk_size = strtol (line, &endl, 16);
               xfree (line);
 
+              if (remaining_chunk_size < 0)
+                {
+                  ret = -1;
+                  break;
+                }
+
               if (remaining_chunk_size == 0)
                 {
                   ret = 0;
-- 
cgit v1.0-41-gc330