lib-mail: Fix out-of-bounds read when parsing an invalid email address

The included unit test doesn't fail, but running it with valgrind shows
"Invalid read of size 1" error.

Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c

Discovered by Aleksandar Nikolic of Cisco Talos

diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c
index beb81ee29821b232f1bf08083a9ebf99fab0d0af..787a26e017879182d880e6fa22f8bea4e99006fd 100644 (file)
--- a/src/lib-mail/message-address.c
+++ b/src/lib-mail/message-address.c
@@ -221,7 +221,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx)
                /* end of input or parsing local-part failed */
                ctx->addr.invalid_syntax = TRUE;
        }
-       if (ret != 0 && *ctx->parser.data == '@') {
+       if (ret != 0 && ctx->parser.data != ctx->parser.end &&
+           *ctx->parser.data == '@') {
                ret2 = parse_domain(ctx);
                if (ret2 <= 0)
                        ret = ret2;

diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c
index f6a87669e396fd28f9bbeb2a13cd673739914ef6..c963aa62f7adb6740a094a956ed71f20e2264a76 100644 (file)
--- a/src/lib-mail/test-message-address.c
+++ b/src/lib-mail/test-message-address.c
@@ -198,6 +198,16 @@ static void test_message_address(void)
                { "<@>", "", "<INVALID_ROUTE:MISSING_MAILBOX@MISSING_DOMAIN>",
                  { NULL, NULL, NULL, "", "", TRUE },
                  { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 },
+
+               /* Test against a out-of-bounds read bug - keep these two tests
+                  together in this same order: */
+               { "aaaa@", "<aaaa>", "<aaaa@MISSING_DOMAIN>",
+                 { NULL, NULL, NULL, "aaaa", "", TRUE },
+                 { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 },
+               { "a(aa", "", "<MISSING_MAILBOX@MISSING_DOMAIN>",
+                 { NULL, NULL, NULL, "", "", TRUE },
+                 { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE },
+                 TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST },
        };
        static struct message_address group_prefix = {
                NULL, NULL, NULL, "group", NULL, FALSE