Infinity loop in g_mime_multipart_get_boundary

[detrio333]

I checked my app with gmime fuzzing test. Fuzzing suggests a little strange data nevertheless it's way to safete work

My oversimpified message: char* text = "Content-Type: multipart/mixed;\n ќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќќ="ќ";

I parsed it and set callback for g_mime_message_foreach.

void MultipartCallback(GMimeObject* parent, GMimeObject* object, gpointer wrapper)
{
    if (!GMIME_IS_MULTIPART(object))
        return;
    GMimeMultipart* multipart = GMimeMultipart*(object);
    const char* boundary = g_mime_multipart_get_boundary(multipart);
}

It causes infinity loop in finction g_mime_param_list_encode src gmime-param.c

I know my message is strange, but I hope for safety work with any data GMIME_VERSION "3.2.13"

Thanks!

[jstedfast]

Would you be able to step through this in a debugger for me? I don't have a system setup to build & debug gmime right now, so it'll be a while before I have the time to set all of that up to work on this issue.

If you could do it for me, it would speed up the process quite a bit.

[detrio333]

I have no idea how to show bug case step by step in debugger. I can see infinity loop here https://github.com/jstedfast/gmime/blob/4100b76d2d06d3fa810cbaaee64f3bf42d7627bb/gmime/gmime-param.c#L802 But way to here is so long

My decision is using g_mime_object_get_content_type_parameter(object, "boundary") without auto-generated boundary I haven't simple solution infinity loop problem

[jstedfast]

We'll see if the above patch fixes things...

[jstedfast]

Can you build the latest code and run: ./tests/test-headers -vvvv and paste the output for me?

[jstedfast]

This is confirmed fixed