lib-mail: mbox_from_parse() - Fix bounds check in trailing timezone

The trailing timezone check used msg != msg_end before reading
msg[0] through msg[5]. When fewer than 6 bytes remain, this
reads past the buffer. Replace with msg + 6 <= msg_end.

Found by fuzzing with libFuzzer and AddressSanitizer.

Signed-off-by: Mark Esler <mark@hexproof.dev>

diff --git a/src/lib-mail/mbox-from.c b/src/lib-mail/mbox-from.c
index 5a3fc16126d6c7a876fc8528bee0f38a1083eb6a..84dcdd99f837b836c23c3f8bb2a41475252c8253 100644 (file)
--- a/src/lib-mail/mbox-from.c
+++ b/src/lib-mail/mbox-from.c
@@ -218,7 +218,7 @@ int mbox_from_parse(const unsigned char *msg, size_t size,
        }
 
        tm.tm_isdst = -1;
-       if (!seen_timezone && msg != msg_end &&
+       if (!seen_timezone && msg + 6 <= msg_end &&
            msg[0] == ' ' && (msg[1] == '-' || msg[1] == '+') &&
            i_isdigit(msg[2]) && i_isdigit(msg[3]) &&
            i_isdigit(msg[4]) && i_isdigit(msg[5])) {