Merge branch 'stable'master

5 files changed, 97 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index 4a3afd7f..0172cb8e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,91 @@
+2023-09-09 14:42:14 +0800  Kevin McCarthy  <kevin@8t8.us> (6a155b49)
+
+        * Update UPDATING file for 2.2.12 release.
+
+M	UPDATING
+
+2023-09-03 14:11:48 +0800  Kevin McCarthy  <kevin@8t8.us> (a4752eb0)
+
+        * Fix write_one_header() illegal header check.
+        
+        This is another crash caused by the rfc2047 decoding bug fixed in the
+        second prior commit.
+        
+        In this case, an empty header line followed by a header line starting
+        with ":", would result in t==end.
+        
+        The mutt_substrdup() further below would go very badly at that point,
+        with t >= end+1.  This could result in either a memcpy onto NULL or a
+        huge malloc call.
+        
+        Thanks to Chenyuan Mi (@morningbread) for giving a working example
+        draft message of the rfc2047 decoding flaw.  This allowed me, with
+        further testing, to discover this additional crash bug.
+
+M	sendlib.c
+
+2023-09-04 12:50:07 +0800  Kevin McCarthy  <kevin@8t8.us> (4cc3128a)
+
+        * Check for NULL userhdrs.
+        
+        When composing an email, miscellaneous extra headers are stored in a
+        userhdrs list.  Mutt first checks to ensure each header contains at
+        least a colon character, passes the entire userhdr field (name, colon,
+        and body) to the rfc2047 decoder, and safe_strdup()'s the result on
+        the userhdrs list.  An empty result would from the decode would result
+        in a NULL headers being added to list.
+        
+        The previous commit removed the possibility of the decoded header
+        field being empty, but it's prudent to add a check to the strchr
+        calls, in case there is another unexpected bug resulting in one.
+        
+        Thanks to Chenyuan Mi (@morningbread) for discovering the two strchr
+        crashes, giving a working example draft message, and providing the
+        stack traces for the two NULL derefences.
+
+M	sendlib.c
+
+2023-09-03 12:22:01 +0800  Kevin McCarthy  <kevin@8t8.us> (452ee330)
+
+        * Fix rfc2047 base64 decoding to abort on illegal characters.
+        
+        For some reason, the rfc2047 base64 decoder ignored illegal
+        characters, instead of aborting.  This seems innocuous, but in fact
+        leads to at least three crash-bugs elsewhere in Mutt.
+        
+        These stem from Mutt, in some cases, passing an entire header
+        field (name, colon, and body) to the rfc2047 decoder.  (It is
+        technically incorrect to do so, by the way, but is beyond scope for
+        these fixes in stable).  Mutt then assumes the result can't be empty
+        because of a previous check that the header contains at least a colon.
+        
+        This commit takes care of the source of the crashes, by aborting the
+        rfc2047 decode.  The following two commits add protective fixes to the
+        specific crash points.
+        
+        Thanks to Chenyuan Mi (@morningbread) for discovering the strchr
+        crashes, giving a working example draft message, and providing the
+        stack traces for the two NULL derefences.
+
+M	rfc2047.c
+
+2023-08-23 15:40:19 +0800  Kevin McCarthy  <kevin@8t8.us> (7eb9c18f)
+
+        * Add a documentation note that aliases are case insensitive.
+        
+        It's very old behavior, but doesn't seem to be documented anywhere.
+        
+        Thanks to Charles for pointing that out.
+
+M	doc/manual.xml.head
+
+2023-08-18 11:17:23 +0800  Kevin McCarthy  <kevin@8t8.us> (6b538297)
+
+        * automatic post-release commit for mutt-2.2.11
+
+M	ChangeLog
+M	VERSION
+
 2023-08-18 11:07:42 +0800  Kevin McCarthy  <kevin@8t8.us> (d619496e)
 
         * Update UPDATING file for 2.2.11 release.
diff --git a/UPDATING b/UPDATING
index c56ebd94..29db297b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,10 @@ http://www.mutt.org/relnotes/
 The keys used are:
   !: modified feature, -: deleted feature, +: new feature
 
+2.2.12 (2023-09-09):
+
+  ! Bug fix release.
+
 2.2.11 (2023-08-18):
 
   ! Bug fix release.
diff --git a/VERSION b/VERSION
index 0b6e4313..98c938ec 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2.11
+2.2.12
diff --git a/rfc2047.c b/rfc2047.c
index 1ce82ebb..36cc76db 100644
--- a/rfc2047.c
+++ b/rfc2047.c
@@ -724,7 +724,7 @@ static int rfc2047_decode_word (BUFFER *d, const char *s, char **charset)
 	    if (*pp == '=')
 	      break;
 	    if ((*pp & ~127) || (c = base64val(*pp)) == -1)
-	      continue;
+              goto error_out_0;
 	    if (k + 6 >= 8)
 	    {
 	      k -= 2;
diff --git a/sendlib.c b/sendlib.c
index c2283972..204b1308 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
   else
   {
     t = strchr (start, ':');
-    if (!t || t > end)
+    if (!t || t >= end)
     {
       dprint (1, (debugfile, "mwoh: warning: header not in "
 		  "'key: value' format!\n"));
@@ -2418,7 +2418,7 @@ int mutt_write_rfc822_header (FILE *fp, ENVELOPE *env, BODY *attach, char *date,
   /* Add any user defined headers */
   for (; tmp; tmp = tmp->next)
   {
-    if ((p = strchr (tmp->data, ':')))
+    if ((p = strchr (NONULL (tmp->data), ':')))
     {
       q = p;
 
@@ -2466,7 +2466,7 @@ static void encode_headers (LIST *h)
 
   for (; h; h = h->next)
   {
-    if (!(p = strchr (h->data, ':')))
+    if (!(p = strchr (NONULL (h->data), ':')))
       continue;
 
     i = p - h->data;