From 1ae3ca298803dc64cfbe278ba93bccb8c203b81f Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Fri, 11 Sep 2020 21:53:06 +0200
Subject: [PATCH] lib-smtp: smtp-command-parser - Fix read past buffer limit
 while parsing UTF-8 character.

The buffer limit was specified as (buf->pos - buf->end) rather than (buf->end -
buf->pos). Since at most a valid UTF-8 character can be read beyond the buffer
size, this bug didn't cause noticeable effects, nor does it present an attack
surface.
---
 src/lib-smtp/smtp-command-parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib-smtp/smtp-command-parser.c b/src/lib-smtp/smtp-command-parser.c
index 3c4860c0a2..f60461e8d1 100644
--- a/src/lib-smtp/smtp-command-parser.c
+++ b/src/lib-smtp/smtp-command-parser.c
@@ -180,7 +180,7 @@ static int smtp_command_parse_parameters(struct smtp_command_parser *parser)
 		if (parser->auth_response)
 			ch = *p;
 		else {
-			nch = uni_utf8_get_char_n(p, (size_t)(p - parser->end),
+			nch = uni_utf8_get_char_n(p, (size_t)(parser->end - p),
 						  &ch);
 		}
 		if (nch == 0)
-- 
2.47.3