Fix write_one_header() illegal header check.

This is another crash caused by the rfc2047 decoding bug fixed in the second prior commit. In this case, an empty header line followed by a header line starting with ":", would result in t==end. The mutt_substrdup() further below would go very badly at that point, with t >= end+1. This could result in either a memcpy onto NULL or a huge malloc call. Thanks to Chenyuan Mi (@morningbread) for giving a working example draft message of the rfc2047 decoding flaw. This allowed me, with further testing, to discover this additional crash bug.
author: Kevin McCarthy <kevin@8t8.us> 2023-09-03 14:11:48 +0800
committer: Kevin McCarthy <kevin@8t8.us> 2023-09-09 14:31:19 +0800
commit: a4752eb0ae0a521eec02e59e51ae5daedf74fda0 (patch)
tree: 6ba9505963f2a07745f9d81a739924f1b9ce8a37
parent: 4cc3128abdf52c615911589394a03271fddeefc6 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/sendlib.c b/sendlib.c
index 763bff41..204b1308 100644
--- a/sendlib.c
+++ b/sendlib.c
@@ -2130,7 +2130,7 @@ static int write_one_header (FILE *fp, int pfxw, int max, int wraplen,
   else
   {
     t = strchr (start, ':');
-    if (!t || t > end)
+    if (!t || t >= end)
     {
       dprint (1, (debugfile, "mwoh: warning: header not in "
 		  "'key: value' format!\n"));
author	Kevin McCarthy <kevin@8t8.us>	2023-09-03 14:11:48 +0800
committer	Kevin McCarthy <kevin@8t8.us>	2023-09-09 14:31:19 +0800
commit	a4752eb0ae0a521eec02e59e51ae5daedf74fda0 (patch)
tree	6ba9505963f2a07745f9d81a739924f1b9ce8a37
parent	4cc3128abdf52c615911589394a03271fddeefc6 (diff)