From 51673214abae762f16c8d4eab67152f7cb703da7 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Fri, 26 Nov 2021 23:05:30 +0100 Subject: [PATCH] fix read beyond end of input in copy_msg_convert() the input isn't necessarily null-terminated (it currently is for imap, but not for maildir), so if the message ended somewhere within the header field name, we'd read beyond its end, which theoretically could cause a crash. no other adverse effects could result, as we'd stop processing such a broken message right afterwards. amends 70bad661. --- src/sync.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/sync.c b/src/sync.c index 32d4fa1..6685b78 100644 --- a/src/sync.c +++ b/src/sync.c @@ -428,9 +428,10 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t ) if (!vars->minimal) goto oke; } else { - if (break2 == UINT_MAX && vars->minimal && !strncasecmp( in_buf + start, "Subject:", 8 )) { + if (break2 == UINT_MAX && vars->minimal && + starts_with_upper( in_buf + start, (int)(in_len - start), "SUBJECT:", 8 )) { break2 = start + 8; - if (in_buf[break2] == ' ') + if (break2 < in_len && in_buf[break2] == ' ') break2++; } lines++;