From: Kevin McCarthy <kevin@8t8.us>
Date: Fri, 13 Jul 2018 03:46:37 +0000 (-0700)
Subject: Fix imap_quote_string() length check errors.
X-Git-Tag: mutt-1-10-1-rel~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e0131852c6059107939893016c8ff56b6e42865d;p=mutt

Fix imap_quote_string() length check errors.

The function wasn't properly checking for dlen<2 before quoting, and
wasn't properly pre-adjusting dlen to include the initial quote.

Thanks to Jeriko One for reporting these issues.
---

diff --git a/imap/util.c b/imap/util.c
index 3274a70c..27792944 100644
--- a/imap/util.c
+++ b/imap/util.c
@@ -614,20 +614,29 @@ static void _imap_quote_string (char *dest, size_t dlen, const char *src,
   char *pt;
   const char *s;
 
+  if (!(dest && dlen && src && to_quote))
+    return;
+
+  if (dlen < 3)
+  {
+    *dest = 0;
+    return;
+  }
+
   pt = dest;
   s  = src;
 
-  *pt++ = '"';
-  /* save room for trailing quote-char */
-  dlen -= 2;
+  /* save room for pre/post quote-char and trailing null */
+  dlen -= 3;
 
+  *pt++ = '"';
   for (; *s && dlen; s++)
   {
     if (strchr (to_quote, *s))
     {
+      if (dlen < 2)
+        break;
       dlen -= 2;
-      if (!dlen)
-	break;
       *pt++ = '\\';
       *pt++ = *s;
     }