lib-mail: mbox_from_parse() - Fix bounds check in time parsing

Add bounds checks before hour/minute parsing (msg + 5 > msg_end)
and before optional seconds parsing (msg + 3 > msg_end). The
alt_stamp path consumes a variable number of bytes for the day
field, which can exhaust the initial budget before reaching the
time section.

Also guard the optional seconds entry with msg >= msg_end to
handle truncated inputs that end after minutes.

Found by fuzzing with libFuzzer and AddressSanitizer.

Signed-off-by: Mark Esler <mark@hexproof.dev>

diff --git a/src/lib-mail/mbox-from.c b/src/lib-mail/mbox-from.c
index d4ad31c834db34871e257ba1372c2feae850adeb..7d91015a49a164e317d8a15ca6a7d43e2d4c8a7f 100644 (file)
--- a/src/lib-mail/mbox-from.c
+++ b/src/lib-mail/mbox-from.c
@@ -153,7 +153,9 @@ int mbox_from_parse(const unsigned char *msg, size_t size,
        if (tm.tm_mday == 0)
                tm.tm_mday = 1;
 
-       /* hour */
+       /* hour - need at least "HH:MM" = 5 bytes */
+       if (msg + 5 > msg_end)
+               return -1;
        if (!i_isdigit(msg[0]) || !i_isdigit(msg[1]) || msg[2] != ':')
                return -1;
        tm.tm_hour = (msg[0]-'0') * 10 + (msg[1]-'0');
@@ -166,7 +168,11 @@ int mbox_from_parse(const unsigned char *msg, size_t size,
        msg += 2;
 
        /* optional second */
-       if (msg[0] == ':') {
+       if (msg >= msg_end)
+               ;
+       else if (msg[0] == ':') {
+               if (msg + 3 > msg_end)
+                       return -1;
                msg++;
                if (!i_isdigit(msg[0]) || !i_isdigit(msg[1]))
                        return -1;