From: Unknown <john.beck@oracle.com>
Date: Fri, 22 Feb 2013 16:30:40 +0000 (+0000)
Subject: fix potential buffer overflow in off-by-one bounds checking error
X-Git-Tag: neomutt-20160307~171
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d2304e025348626bc5e9de256e416b64d14ced7d;p=neomutt

fix potential buffer overflow in off-by-one bounds checking error

closes #3635
---

diff --git a/rfc1524.c b/rfc1524.c
index 1baca7488..ccd78c112 100644
--- a/rfc1524.c
+++ b/rfc1524.c
@@ -68,7 +68,7 @@ int rfc1524_expand_command (BODY *a, char *filename, char *_type,
   if (option (OPTMAILCAPSANITIZE))
     mutt_sanitize_filename (type, 0);
 
-  while (x < clen && command[x] && y < sizeof (buf) - 1)
+  while (x < clen - 1 && command[x] && y < sizeof (buf) - 1)
   {
     if (command[x] == '\\')
     {
diff --git a/sendlib.c b/sendlib.c
index c1c32fbda..cede8534f 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -1664,7 +1664,7 @@ static int fold_one_header (FILE *fp, const char *tag, const char *value,
     /* find the next word and place it in `buf'. it may start with
      * whitespace we can fold before */
     next = find_word (p);
-    l = MIN(sizeof (buf), next - p);
+    l = MIN(sizeof (buf) - 1, next - p);
     memcpy (buf, p, l);
     buf[l] = 0;