[Minor] str_util: fix lookahead over-read in find_eoh

rspamd_string_find_eoh peeks p[1] in the got_cr state but guarded it
with "p < end", which is already guaranteed by the loop and does not
cover the p+1 access. On input whose header region ends with \r\r the
peek read one byte past the buffer; the MIME parser calls this with a
non-NUL-terminated GString view over the message, so that byte is not
guaranteed to exist.

Check p + 1 < end instead; a truncated \r\r at end of input then
falls through to the existing branch that treats it as end-of-headers.

diff --git a/src/libutil/str_util.c b/src/libutil/str_util.c
index ac2311ff6258b01b2ae648480b3e4eedfff64383..fc78cd22dee2205f7b8d52bb4e64b26f03924b69 100644 (file)
--- a/src/libutil/str_util.c
+++ b/src/libutil/str_util.c
@@ -2296,7 +2296,7 @@ rspamd_string_find_eoh(GString *input, goffset *body_start)
                                 * if it is '\n', then we have \r\r\n sequence, that is NOT
                                 * double end of line
                                 */
-                               if (p < end && p[1] == '\n') {
+                               if (p + 1 < end && p[1] == '\n') {
                                        p++;
                                        state = got_lf;
                                }