lib-mail: mbox_from_parse() - Fix bounds check in named timezone

The named timezone check reads msg[0] through msg[3] without
verifying 4 bytes remain. The else-if branch below reads msg[0]
through msg[5]. When optional seconds consume the initial budget,
this reads past the buffer.

Based on code by Mark Esler <mark@hexproof.dev>

diff --git a/src/lib-mail/mbox-from.c b/src/lib-mail/mbox-from.c
index 84dcdd99f837b836c23c3f8bb2a41475252c8253..d4ad31c834db34871e257ba1372c2feae850adeb 100644 (file)
--- a/src/lib-mail/mbox-from.c
+++ b/src/lib-mail/mbox-from.c
@@ -188,8 +188,9 @@ int mbox_from_parse(const unsigned char *msg, size_t size,
        /* optional named timezone */
        if (alt_stamp)
                ;
-       else if (!i_isdigit(msg[0]) || !i_isdigit(msg[1]) ||
-                !i_isdigit(msg[2]) || !i_isdigit(msg[3])) {
+       else if (msg + 4 <= msg_end &&
+                (!i_isdigit(msg[0]) || !i_isdigit(msg[1]) ||
+                 !i_isdigit(msg[2]) || !i_isdigit(msg[3]))) {
                /* skip to next space */
                while (msg < msg_end && *msg != ' ') {
                        if (*msg == '\r' || *msg == '\n')
@@ -199,7 +200,8 @@ int mbox_from_parse(const unsigned char *msg, size_t size,
                if (msg+5 > msg_end)
                        return -1;
                msg++;
-       } else if ((msg[0] == '-' || msg[0] == '+') &&
+       } else if (msg + 6 <= msg_end &&
+                  (msg[0] == '-' || msg[0] == '+') &&
                   i_isdigit(msg[1]) && i_isdigit(msg[2]) &&
                   i_isdigit(msg[3]) && i_isdigit(msg[4]) && msg[5] == ' ') {
                /* numeric timezone, use it */