From 7f4fbcb3a52aa5b0b83aef57bddb33fdd9d5b82e Mon Sep 17 00:00:00 2001
From: Georg Sauthoff <mail@georg.so>
Date: Fri, 8 Feb 2019 10:50:40 +0100
Subject: [PATCH 04/11] Fix msg-id out-of-bounds read (#118)

cf. https://sourceforge.net/p/bogofilter/bugs/118/
---
 src/token.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/token.c b/src/token.c
index 3ac43c1..686ddd0 100644
--- a/src/token.c
+++ b/src/token.c
@@ -33,6 +33,7 @@ AUTHOR:
 
 word_t	*msg_addr;	/* First IP Address in Received: statement */
 word_t	*msg_id;	/* Message ID */
+static size_t max_msg_id_len;
 word_t	*queue_id;	/* Message's first queue ID */
 
 static token_t save_class = NONE;
@@ -573,7 +574,8 @@ void token_init(void)
 	msg_addr = word_new( NULL, max_token_len );
 
 	/* Message ID */
-	msg_id = word_new( NULL, max_token_len * 3 );
+        max_msg_id_len  = max_token_len * 3;
+	msg_id = word_new( NULL, max_msg_id_len );
 
 	/* Message's first queue ID */
 	queue_id = word_new( NULL, max_token_len );
@@ -667,8 +669,8 @@ void set_tag(const char *text)
 
 void set_msg_id(byte *text, uint leng)
 {
-    (void) leng;		/* suppress compiler warning */
-    token_set( msg_id, text, msg_id->leng );
+    uint n = min(leng, max_msg_id_len);
+    token_set( msg_id, text, n );
 }
 
 #define WFREE(n)	word_free(n); n = NULL
-- 
2.20.1