From: ihsinme <61293369+ihsinme@users.noreply.github.com>
Date: Mon, 28 Sep 2020 19:26:27 +0000 (-0400)
Subject: lib-mail: html2text - Fix buffer out-of-bounds access
X-Git-Tag: 2.3.13~158
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ca475537ed94aa13d5b528af3c473c7cc27c1ec;p=thirdparty%2Fdovecot%2Fcore.git

lib-mail: html2text - Fix buffer out-of-bounds access

The passed in buffer size is at least 1 byte shorter than the actual buffer
size, therefore there is no chance of a crash.
---

diff --git a/src/lib-mail/mail-html2text.c b/src/lib-mail/mail-html2text.c
index 3d9f9beb4f..d186f67661 100644
--- a/src/lib-mail/mail-html2text.c
+++ b/src/lib-mail/mail-html2text.c
@@ -87,7 +87,7 @@ parse_tag_name(struct mail_html2text *ht,
 		return 8 + 1;
 	}
 
-	if (size >= 10 && i_memcasecmp(data, "blockquote", 10) == 0 &&
+	if (size >= 11 && i_memcasecmp(data, "blockquote", 10) == 0 &&
 	    (HTML_WHITESPACE(data[10]) || data[10] == '>')) {
 		ht->quote_level++;
 		ht->state = HTML_STATE_TAG;