Fix next_token() oob read. (closes #3787)

With specially crafted input to 'mutt -H', the line "Return-Path:<() "
is read and passed to mutt_parse_rfc822_line(). "<() " is then passed
through to rfc822_parse_adrlist().

Eventually, inside next_token(), is_special(*s) is called when s
points to the end of the string ('\0').  This macro calls strchr,
which will actually match and return a pointer to the trailing '\0' in
RFC822Specials!  This causes "s + 1" to be returned, skipping past the
end of string inside parse_mailboxdomain().

This patch adds a check to make sure *s is non-null before calling
is_special(*s).

diff --git a/rfc822.c b/rfc822.c
index 884c00b17430fc7bd3c870e0793b4e29bced9775..803478247d2a7efcbf1253aab9703f09c891584a 100644 (file)
--- a/rfc822.c
+++ b/rfc822.c
@@ -202,7 +202,7 @@ next_token (const char *s, char *token, size_t *tokenlen, size_t tokenmax)
     return (parse_comment (s + 1, token, tokenlen, tokenmax));
   if (*s == '"')
     return (parse_quote (s + 1, token, tokenlen, tokenmax));
-  if (is_special (*s))
+  if (*s && is_special (*s))
   {
     if (*tokenlen < tokenmax)
       token[(*tokenlen)++] = *s;