Fix parsing to not skip NUL characters

Fix multiple instances of the parser skipping a NUL character, causing a buffer over-read and possibly crash.
rc0 · Apr 13, 2022 · 391bfcb · 391bfcb
1 parent 6f5531d
commit 391bfcb
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/nvp.c b/nvp.c
@@ -272,8 +272,11 @@ struct nvp *make_nvp(struct msg_src *src, char *s, const char *pfx)/*{{{*/
           case GOT_NAMEVALUE_CCONT:
 	    for(tempsrc = tempdst = value; *tempsrc; tempsrc++) {
 		if (*tempsrc == '%') {
-		    int val = hex_to_val(*++tempsrc) << 4;
-		    val |= hex_to_val(*++tempsrc);
+		    int val = -1;
+		    if (tempsrc[1] && tempsrc[2]) {
+			val = hex_to_val(*++tempsrc) << 4;
+			val |= hex_to_val(*++tempsrc);
+		    }
 		    if (val < 0) {
 #ifdef TEST
 			fprintf(stderr, "'%s' could not be parsed (%%)\n", s);

diff --git a/rfc822.c b/rfc822.c
@@ -958,7 +958,7 @@ static time_t parse_rfc822_date(char *date_string)/*{{{*/
   else if (!strncasecmp(s, "dec", 3)) tm.tm_mon = 11;
   else goto tough_cheese;
 
-  while (!isspace(*s)) s++;
+  while (*s && !isspace(*s)) s++;
   while (*s && isspace(*s)) s++;
   if (!isdigit(*s)) goto tough_cheese;
   tm.tm_year = atoi(s);
@@ -1056,9 +1056,9 @@ struct rfc822 *data_to_rfc822(struct msg_src *src,
     else if (!result->hdrs.references && match_string("references:", x->text))
       result->hdrs.references = copy_header_value(x->text);
     else if (match_string("status:", x->text))
-      scan_status_flags(x->text + sizeof("status:"), &result->hdrs);
+      scan_status_flags(x->text + (sizeof("status:") - 1), &result->hdrs);
     else if (match_string("x-status:", x->text))
-      scan_status_flags(x->text + sizeof("x-status:"), &result->hdrs);
+      scan_status_flags(x->text + (sizeof("x-status:") - 1), &result->hdrs);
   }
 /*}}}*/