From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Sun, 9 Nov 2025 17:32:36 +0000 (+0200)
Subject: lib-mail: message-date - Add missing bounds checking
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95573f3d0e9cb115360ec5fb360fdd41edd44714;p=thirdparty%2Fdovecot%2Fcore.git

lib-mail: message-date - Add missing bounds checking

All current callers are guaranteed to pass input that is NUL-terminated.
In case of SEARCH SENT* commands the input comes from buffer_t, which is also
guaranteed to be NUL-terminated (although not necessarily immediately after the
input data).

Found by naoki-wa via yeswehack.
---

diff --git a/src/lib-mail/message-date.c b/src/lib-mail/message-date.c
index 7a7529a6c8..21763d05d6 100644
--- a/src/lib-mail/message-date.c
+++ b/src/lib-mail/message-date.c
@@ -129,7 +129,8 @@ message_date_parser_tokens(struct message_date_parser_context *ctx,
 	if (next_token(ctx, &value, &len) <= 0)
 		return FALSE;
 	if (len == 3) {
-		if (*ctx->parser.data != ',')
+		if (ctx->parser.data == ctx->parser.end ||
+		    *ctx->parser.data != ',')
 			return FALSE;
 		ctx->parser.data++;
 		rfc822_skip_lwsp(&ctx->parser);
@@ -194,7 +195,8 @@ message_date_parser_tokens(struct message_date_parser_context *ctx,
 	}
 
 	/* :mm (may be the last token) */
-	if (!IS_TIME_SEP(*ctx->parser.data))
+	if (ctx->parser.data == ctx->parser.end ||
+	    !IS_TIME_SEP(*ctx->parser.data))
 		return FALSE;
 	ctx->parser.data++;
 	rfc822_skip_lwsp(&ctx->parser);