From 1f55cee8b3d0956adc98834f7b5832e48e077ed7 Mon Sep 17 00:00:00 2001
From: Eike Hein <hein@kde.org>
Date: Fri, 24 Oct 2014 13:57:54 +0200
Subject: [PATCH 23/23] Do a bounds check on ECB blocks.

Blindly assuming they're the expected 12 chars can lead to a crash
on malformed input.

Original patch by Manuel Nickschas for Quassel, who incorporated
the original Konversation code into Quassel in 2009.

Upstream:
https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
---
 src/cipher.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/cipher.cpp b/src/cipher.cpp
index 514e390..019b0ac 100644
--- a/src/cipher.cpp
+++ b/src/cipher.cpp
@@ -353,8 +353,12 @@ namespace Konversation
         }
         else
         {
+        // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
+        if ((temp.length() % 12) != 0)
+            return cipherText;
+
             temp = b64ToByte(temp);
-            while((temp.length() % 8) != 0) temp.append('\0');
+            while ((temp.length() % 8) != 0) temp.append('\0');
         }
 
         QCA::Direction dir = (direction) ? QCA::Encode : QCA::Decode;
@@ -362,11 +366,17 @@ namespace Konversation
         QByteArray temp2 = cipher.update(QCA::MemoryRegion(temp)).toByteArray();
         temp2 += cipher.final().toByteArray();
 
-        if(!cipher.ok())
+        if (!cipher.ok())
             return cipherText;
 
-        if(direction)
+        if (direction)
+        {
+            // Sanity check
+            if ((temp2.length() % 8) != 0)
+                return cipherText;
+
             temp2 = byteToB64(temp2);
+        }
 
         return temp2;
     }
-- 
1.9.3