From 0a76f8fb7ed09b396cfd7fbd320ffea2f647669f Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 18 Oct 2015 19:45:51 +0800
Subject: [PATCH] Fix next_token() oob read.  (closes #3787)

With specially crafted input to 'mutt -H', the line "Return-Path:<() "
is read and passed to mutt_parse_rfc822_line(). "<() " is then passed
through to rfc822_parse_adrlist().

Eventually, inside next_token(), is_special(*s) is called when s
points to the end of the string ('\0').  This macro calls strchr,
which will actually match and return a pointer to the trailing '\0' in
RFC822Specials!  This causes "s + 1" to be returned, skipping past the
end of string inside parse_mailboxdomain().

This patch adds a check to make sure *s is non-null before calling
is_special(*s).
---
 rfc822.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfc822.c b/rfc822.c
index 884c00b17..803478247 100644
--- a/rfc822.c
+++ b/rfc822.c
@@ -202,7 +202,7 @@ next_token (const char *s, char *token, size_t *tokenlen, size_t tokenmax)
     return (parse_comment (s + 1, token, tokenlen, tokenmax));
   if (*s == '"')
     return (parse_quote (s + 1, token, tokenlen, tokenmax));
-  if (is_special (*s))
+  if (*s && is_special (*s))
   {
     if (*tokenlen < tokenmax)
       token[(*tokenlen)++] = *s;
-- 
2.50.1