Fix imap_quote_string() length check errors.

The function wasn't properly checking for dlen<2 before quoting, and
wasn't properly pre-adjusting dlen to include the initial quote.

Thanks to Jeriko One for reporting these issues.

diff --git a/imap/util.c b/imap/util.c
index 3274a70c58058b6fd39919db0f6e1a31f3ac906f..2779294454358a1969f3696c9f1dd030b0100c0b 100644 (file)
--- a/imap/util.c
+++ b/imap/util.c
@@ -614,20 +614,29 @@ static void _imap_quote_string (char *dest, size_t dlen, const char *src,
   char *pt;
   const char *s;
 
+  if (!(dest && dlen && src && to_quote))
+    return;
+
+  if (dlen < 3)
+  {
+    *dest = 0;
+    return;
+  }
+
   pt = dest;
   s  = src;
 
-  *pt++ = '"';
-  /* save room for trailing quote-char */
-  dlen -= 2;
+  /* save room for pre/post quote-char and trailing null */
+  dlen -= 3;
 
+  *pt++ = '"';
   for (; *s && dlen; s++)
   {
     if (strchr (to_quote, *s))
     {
+      if (dlen < 2)
+        break;
       dlen -= 2;
-      if (!dlen)
-       break;
       *pt++ = '\\';
       *pt++ = *s;
     }