From aa11be7a2e6a7f1c2607446eeac6f869b2391fe1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0?=
 =?UTF-8?q?=D1=83=D0=B7=D0=BE=D0=B2?= <Dilyan.Palauzov@broadcom.com>
Date: Mon, 11 Dec 2023 17:30:44 +0100
Subject: [PATCH] message_parse_received_date() avoid calling
 message_parse_string(hdr="")

as the latter does hdr = strchr(hdr+1, '\n') and hdr+1 is not allocated.
---
 cunit/message.testc | 13 +++++++++++++
 imap/message.c      |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cunit/message.testc b/cunit/message.testc
index a22966bf6a9..5925725f2c5 100644
--- a/cunit/message.testc
+++ b/cunit/message.testc
@@ -1391,4 +1391,17 @@ static void test_parse_bogus_charset_params(void)
 #undef TESTCASE
 }
 
+/*
+ * Verifies that message_parse_received_date() does not read
+ * uninitialized data in the second call to message_parse_string()
+ */
+static void test_parse_received_semicolon(void)
+{
+   static const char msg[] = "Received: abc;\r\n\r\nd";
+   struct body body;
+   memset(&body, 0x45, sizeof(body));
+   CU_ASSERT_EQUAL(message_parse_mapped(msg, sizeof(msg)-1, &body, NULL), 0);
+   CU_ASSERT_STRING_EQUAL(body.received_date, "");
+   message_free_body(&body);
+}
 /* vim: set ft=c: */
diff --git a/imap/message.c b/imap/message.c
index 97583000e8b..793ff21087d 100644
--- a/imap/message.c
+++ b/imap/message.c
@@ -2010,7 +2010,7 @@ static void message_parse_received_date(const char *hdr, char **hdrp)
     curp--;
 
   /* Didn't find ; - fill in hdrp so we don't look at next received header */
-  if (curp == hdrbuf) {
+  if (curp == hdrbuf || curp[1] == '\0') {
     *hdrp = hdrbuf;
     return;
   }