From eea7779a5d71068c9ea1b62e5e5fbe0feab3fb54 Mon Sep 17 00:00:00 2001
From: Orgad Shaneh <orgad.shaneh@audiocodes.com>
Date: Sun, 8 Sep 2024 17:13:35 +0300
Subject: [PATCH] Fix out-of-bound read for invalid XML

In the given example, there is an invalid field:
To: sut <sip:[service]@[remote_ip]:"remote_port]>

There are no more quotes later. When we search for the terminating
quote, nothing is found, so we skip to the end of the string. Then
the loop continues, we have p++ and continue beyond the buffer.

Fixes #727.
---
 src/message.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/message.cpp b/src/message.cpp
index 319cb7d2..e1392639 100644
--- a/src/message.cpp
+++ b/src/message.cpp
@@ -130,7 +130,9 @@ static char* quoted_strchr(const char* s, int c)
     for (p = s; *p && *p != c; p++) {
         if (*p == '"') {
             p++;
-            p += strcspn(p, "\"");
+            p += strcspn(p, "\"\n");
+            if (!*p)
+                break;
         }
     }