From 6d6fae79e016629b6c896463f62e7b1a6e651ed6 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Thu, 24 Aug 2023 11:36:22 +0800
Subject: [PATCH] Bug #706494 "Buffer Overflow in s_xBCPE_process"

As described in detail in the bug report, if the write buffer is filled
to one byte less than full, and we then try to write an escaped
character, we overrun the buffer because we don't check before
writing two bytes to it.

This just checks if we have two bytes before starting to write an
escaped character and exits if we don't (replacing the consumed byte
of the input).

Up for further discussion; why do we even permit a BCP encoding filter
anyway ? I think we should remove this, at least when SAFER is true.
---
 base/sbcp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/base/sbcp.c b/base/sbcp.c
index 6b0383c..3b8970f 100644
--- a/base/sbcp.c
+++ b/base/sbcp.c
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
         byte ch = *++p;
 
         if (ch <= 31 && escaped[ch]) {
+            /* Make sure we have space to store two characters in the write buffer,
+             * if we don't then exit without consuming the input character, we'll process
+             * that on the next time round.
+             */
+            if (pw->limit - q < 2) {
+                p--;
+                break;
+            }
             if (p == rlimit) {
                 p--;
                 break;
-- 
2.27.0