Fix a runaway string read in procmime_decode_content()

We initialize output buffer for g_base64_decode_step()
to zeroes, so that we can later call strlen() on it
safely.
We also allocate one byte more than we write, so that
the trailing zero byte is guaranteed to be there.

diff --git a/src/procmime.c b/src/procmime.c
index 2be6961e3762c3e8b60128d98691c0e93abb7332..a5961b7add3e8312b8431e2f727f7d9b4eb4fa1e 100644 (file)
--- a/src/procmime.c
+++ b/src/procmime.c
@@ -366,7 +366,7 @@ gboolean procmime_decode_content(MimeInfo *mimeinfo)
                if (flowed)
                        FLUSH_LASTLINE();
        } else if (encoding == ENC_BASE64) {
-               gchar outbuf[BUFFSIZE];
+               gchar outbuf[BUFFSIZE + 1];
                gint len, inlen, inread;
                gboolean got_error = FALSE;
                gboolean uncanonicalize = FALSE;
@@ -390,6 +390,7 @@ gboolean procmime_decode_content(MimeInfo *mimeinfo)
 
                while ((inlen = MIN(readend - ftell(infp), sizeof(buf))) > 0 && !err) {
                        inread = claws_fread(buf, 1, inlen, infp);
+                       memset(outbuf, 0, sizeof(buf));
                        len = g_base64_decode_step(buf, inlen, outbuf, &state, &save);
                        if (uncanonicalize == TRUE && strlen(outbuf) < len && starting) {
                                uncanonicalize = FALSE;