From e7c25d5b603a33e677efc4bccb6e5cac617e7ad5 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 1 Jan 2015 21:47:10 +0000
Subject: [PATCH] Avoid crash with badly-terminated non-recognised mime
 parameter

---
 src/src/mime.c                  | 18 ++++++++------
 test/log/4000                   |  3 +++
 test/mail/4000.userx            | 42 +++++++++++++++++++++++++++++++++
 test/scripts/4000-scanning/4000 | 32 +++++++++++++++++++++++++
 test/stdout/4000                | 11 +++++++++
 5 files changed, 99 insertions(+), 7 deletions(-)

diff --git a/src/src/mime.c b/src/src/mime.c
index e5fe476d0..948dd7848 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -589,6 +589,7 @@ DECODE_HEADERS:
 NEXT_PARAM_SEARCH:
 	while (*p)
 	  {
+	  /* debug_printf("  considering paramlist '%s'\n", p); */
 	  mime_parameter * mp;
 	  for (mp = mime_parameter_list;
 	       mp < &mime_parameter_list[mime_parameter_list_size];
@@ -623,7 +624,7 @@ NEXT_PARAM_SEARCH:
 
 		param_value = rfc2047_decode(param_value,
 		      check_rfc2047_length, NULL, 32, NULL, &dummy);
-		debug_printf("Found %s MIME parameter in %s header, "
+		debug_printf(" Found %s MIME parameter in %s header, "
 		      "value is '%s'\n", mp->name, mime_header_list[i].name,
 		      param_value);
 		}
@@ -631,14 +632,17 @@ NEXT_PARAM_SEARCH:
 	      goto NEXT_PARAM_SEARCH;
 	    }
 	  }
-	  /* There is something, but not one of our interesting parameters.
-	     Advance to the next semicolon */
-	  while(*p != ';')
+	/* There is something, but not one of our interesting parameters.
+	   Advance to the next unquoted semicolon */
+	while(*p && *p != ';')
+	  if (*p == '"')
 	    {
-	    if (*p == '"') while(*++p && *p != '"') ;
-	    p++;
+	    while(*++p && *p != '"') ;
+	    if (*p) p++;
 	    }
-	  p++;
+	  else
+	    p++;
+	if (*p) p++;
 	}
       }
   }
diff --git a/test/log/4000 b/test/log/4000
index bd4918963..e2c364fca 100644
--- a/test/log/4000
+++ b/test/log/4000
@@ -10,3 +10,6 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty3"
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=r1 T=t1
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty4"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userx <userx@test.ex> R=r1 T=t1
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
diff --git a/test/mail/4000.userx b/test/mail/4000.userx
index 81b21d224..d362efd54 100644
--- a/test/mail/4000.userx
+++ b/test/mail/4000.userx
@@ -254,3 +254,45 @@ foobar
 
 --T4sUOijqQbZv57TR--
 
+From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test.ex)
+	by myhost.test.ex with local-esmtp (Exim x.yz)
+	(envelope-from <CALLER@myhost.test.ex>)
+	id 10HmbB-0005vi-00
+	for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+From: J Caesar <jcaesar@test.ex>
+To: a-list00@exim.org
+Message-ID: <20041217133501.GA3059@test.ex>
+Mime-Version: 1.0
+Content-Type: text/plain;
+        garbage1;
+        garbage2=foo;
+        garbage3="bar"foo;
+        charset=UTF-8;
+        garbage4=";
+        garbage5="
+Content-Disposition: inline
+Subject: Nasty4
+Sender: CALLER_NAME <CALLER@myhost.test.ex>
+X-0-content-type: text/plain
+X-0-filename: 
+X-0-charset: UTF-8
+X-0-boundary: 
+X-0-content-disposition: inline
+X-0-content-transfer-encoding: 
+X-0-content-id: 
+X-0-content-description: 
+X-0-is-multipart: 0
+X-0-is-coverletter: 1
+X-0-is-rfc822: 0
+X-0-decode-filename: TESTSUITE/spool/scan/10HmbB-0005vi-00/10HmbB-0005vi-00-00000
+X-0-content-size: 1
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+
diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000
index de175dec5..cd53007b2 100644
--- a/test/scripts/4000-scanning/4000
+++ b/test/scripts/4000-scanning/4000
@@ -153,3 +153,35 @@ foobar
 .
 quit
 ****
+#
+#
+# This one has a some unrecognised params
+#
+exim -odi -bs
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@test.ex>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+From: J Caesar <jcaesar@test.ex>
+To: a-list00@exim.org
+Message-ID: <20041217133501.GA3059@test.ex>
+Mime-Version: 1.0
+Content-Type: text/plain;
+        garbage1;
+        garbage2=foo;
+        garbage3="bar"foo;
+        charset=UTF-8;
+        garbage4=";
+Content-Disposition: inline
+Subject: Nasty4
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+.
+quit
+****
diff --git a/test/stdout/4000 b/test/stdout/4000
index ae27f526e..24b8e2868 100644
--- a/test/stdout/4000
+++ b/test/stdout/4000
@@ -42,3 +42,14 @@
 354 Enter message, ending with "." on a line by itself
 250 OK id=10HmbA-0005vi-00
 221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmbB-0005vi-00
+221 myhost.test.ex closing connection
-- 
2.30.2