From 8dd4edeb90ab7bb1df5339fd29422860bf86c585 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 13 Jan 2018 06:35:12 +0100 Subject: smtp/pop3/imap_get_message: decrease the data length too... Follow-up commit to 615edc1f73 which was incomplete. Assisted-by: Max Dymond Detected by OSS-fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206 --- lib/imap.c | 8 +++++--- lib/pop3.c | 8 +++++--- lib/smtp.c | 8 +++++--- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/lib/imap.c b/lib/imap.c index 63a998b2b..cf278a22b 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -349,11 +349,13 @@ static void imap_get_message(char *buffer, char **outptr) if(len > 2) { /* Find the start of the message */ - for(message = buffer + 2; *message == ' ' || *message == '\t'; message++) + len -= 2; + for(message = buffer + 2; *message == ' ' || *message == '\t'; + message++, len--) ; /* Find the end of the message */ - for(len -= 2; len--;) + for(; len--;) if(message[len] != '\r' && message[len] != '\n' && message[len] != ' ' && message[len] != '\t') break; diff --git a/lib/pop3.c b/lib/pop3.c index 40dde1052..78f6afef1 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -248,11 +248,13 @@ static void pop3_get_message(char *buffer, char **outptr) if(len > 2) { /* Find the start of the message */ - for(message = buffer + 2; *message == ' ' || *message == '\t'; message++) + len -= 2; + for(message = buffer + 2; *message == ' ' || *message == '\t'; + message++, len--) ; /* Find the end of the message */ - for(len -= 2; len--;) + for(; len--;) if(message[len] != '\r' && message[len] != '\n' && message[len] != ' ' && message[len] != '\t') break; diff --git a/lib/smtp.c b/lib/smtp.c index b31ecb4b0..d9f1a854a 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -237,11 +237,13 @@ static void smtp_get_message(char *buffer, char **outptr) if(len > 4) { /* Find the start of the message */ - for(message = buffer + 4; *message == ' ' || *message == '\t'; message++) + len -= 4; + for(message = buffer + 4; *message == ' ' || *message == '\t'; + message++, len--) ; /* Find the end of the message */ - for(len -= 4; len--;) + for(; len--;) if(message[len] != '\r' && message[len] != '\n' && message[len] != ' ' && message[len] != '\t') break; -- cgit v1.2.3