Skip to content

Commit

Permalink
message_parse_received_date() avoid calling message_parse_string(hdr="")
Browse files Browse the repository at this point in the history
as the latter does hdr = strchr(hdr+1, '\n') and hdr+1 is not allocated.
  • Loading branch information
Дилян Палаузов authored and dilyanpalauzov committed Dec 16, 2023
1 parent 07d6e26 commit aa11be7
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 1 deletion.
13 changes: 13 additions & 0 deletions cunit/message.testc
Original file line number Diff line number Diff line change
Expand Up @@ -1391,4 +1391,17 @@ static void test_parse_bogus_charset_params(void)
#undef TESTCASE
}

/*
* Verifies that message_parse_received_date() does not read
* uninitialized data in the second call to message_parse_string()
*/
static void test_parse_received_semicolon(void)
{
static const char msg[] = "Received: abc;\r\n\r\nd";
struct body body;
memset(&body, 0x45, sizeof(body));
CU_ASSERT_EQUAL(message_parse_mapped(msg, sizeof(msg)-1, &body, NULL), 0);
CU_ASSERT_STRING_EQUAL(body.received_date, "");
message_free_body(&body);
}
/* vim: set ft=c: */
2 changes: 1 addition & 1 deletion imap/message.c
Original file line number Diff line number Diff line change
Expand Up @@ -2010,7 +2010,7 @@ static void message_parse_received_date(const char *hdr, char **hdrp)
curp--;

/* Didn't find ; - fill in hdrp so we don't look at next received header */
if (curp == hdrbuf) {
if (curp == hdrbuf || curp[1] == '\0') {
*hdrp = hdrbuf;
return;
}
Expand Down

0 comments on commit aa11be7

Please sign in to comment.