From 901b0f0463c9d16a8cf5b9ed37118d8484bc9176 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 10 Aug 2022 21:43:08 +0200
Subject: [PATCH] main: fix two one-byte overreads in header_value()

By passing specially crafted header values, the skip loops in the
header_value() function may override the input buffer by one byte
each.

Reported-by: Jinwei Dong <jwdong2000@qq.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 main.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/main.c b/main.c
index e55051e..8ca4c04 100644
--- a/main.c
+++ b/main.c
@@ -314,21 +314,21 @@ header_value(multipart_parser *p, const char *data, size_t len)
 	if (len < 10 || strncasecmp(data, "form-data", 9))
 		return 0;
 
-	for (data += 9, len -= 9; *data == ' ' || *data == ';'; data++, len--);
+	for (data += 9, len -= 9; len > 0 && (*data == ' ' || *data == ';'); data++, len--);
 
 	if (len < 8 || strncasecmp(data, "name=\"", 6))
 		return 0;
 
-	for (data += 6, len -= 6, i = 0; i <= len; i++)
+	for (data += 6, len -= 6, i = 1; i < len; i++)
 	{
-		if (*(data + i) != '"')
-			continue;
-
-		for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
-			if (!strncmp(data, parts[j], i))
-				st.parttype = j;
+		if (data[i] == '"')
+		{
+			for (j = 1; j < sizeof(parts) / sizeof(parts[0]); j++)
+				if (!strncmp(data, parts[j], i - 1))
+					st.parttype = j;
 
-		break;
+			break;
+		}
 	}
 
 	return 0;
-- 
2.30.2