lib-mail: message-date - Add missing bounds checking

All current callers are guaranteed to pass input that is NUL-terminated.
In case of SEARCH SENT* commands the input comes from buffer_t, which is also
guaranteed to be NUL-terminated (although not necessarily immediately after the
input data).

Found by naoki-wa via yeswehack.

diff --git a/src/lib-mail/message-date.c b/src/lib-mail/message-date.c
index 7a7529a6c806110c41699e3281b5e77ca8ea799e..21763d05d656e5ba8b623b81d77c10c1c9db1e5c 100644 (file)
--- a/src/lib-mail/message-date.c
+++ b/src/lib-mail/message-date.c
@@ -129,7 +129,8 @@ message_date_parser_tokens(struct message_date_parser_context *ctx,
        if (next_token(ctx, &value, &len) <= 0)
                return FALSE;
        if (len == 3) {
-               if (*ctx->parser.data != ',')
+               if (ctx->parser.data == ctx->parser.end ||
+                   *ctx->parser.data != ',')
                        return FALSE;
                ctx->parser.data++;
                rfc822_skip_lwsp(&ctx->parser);
@@ -194,7 +195,8 @@ message_date_parser_tokens(struct message_date_parser_context *ctx,
        }
 
        /* :mm (may be the last token) */
-       if (!IS_TIME_SEP(*ctx->parser.data))
+       if (ctx->parser.data == ctx->parser.end ||
+           !IS_TIME_SEP(*ctx->parser.data))
                return FALSE;
        ctx->parser.data++;
        rfc822_skip_lwsp(&ctx->parser);