lib-sieve: util: rfc2822: Fix assert panic occurring in rfc2822_heade…

…r_append(). Panic was: "Buffer write out of range" With some rather weird (sender-provided!) input, the header folding algorithm got confused, causing a pointer to the start of the current line to exceed the parsing pointer. This caused str_append_data() to be called with a negative size. Added an assertion to make any future similar problems more obvious.
dovecot · Sep 10, 2018 · ed170e1 · ed170e1
1 parent 8647d31
commit ed170e1
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/lib-sieve/util/rfc2822.c b/src/lib-sieve/util/rfc2822.c
@@ -180,6 +180,7 @@ unsigned int rfc2822_header_append
 			sp = bp;
 		} else {
 			/* Insert newline at last whitespace within the max_line limit */
+			i_assert(wp >= sp);
 			str_append_data(header, sp, wp-sp);
 
 			/* Force continued line; drop any existing whitespace */
@@ -195,6 +196,8 @@ unsigned int rfc2822_header_append
 			str_append_c(header, '\t');
 
 			sp = wp;
+			if (sp > bp)
+				bp = sp;
 		}
 
 		lines++;