From aa5ff07b61b6bd9db948cd6541bed3cd44f25924 Mon Sep 17 00:00:00 2001
From: Max Kunzelmann <max@mxzero.net>
Date: Sat, 11 Nov 2023 21:28:03 +0100
Subject: Fix out of bounds memory access (off by one)

If fgets reads a line that only contains a `\n`, then the pointer `eol`
will point to the first byte in that buffer. The subsequent dereference
of `*(eol -1 )` will access the byte before that buffer.

This fix makes sure that that length of the current line read by fgets
is at least 2 bytes long.

Signed-off-by: Max Kunzelmann <max@mxzero.net>
Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
---
 src/ical.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/ical.c b/src/ical.c
index 6d2d8d2..a8ce0a4 100644
--- a/src/ical.c
+++ b/src/ical.c
@@ -691,7 +691,7 @@ static int ical_readline(FILE * fdi, char *buf, char *lstore, unsigned *ln)
 	while (fgets(lstore, BUFSIZ, fdi) != NULL) {
 		(*ln)++;
 		if ((eol = strchr(lstore, '\n')) != NULL) {
-			if (*(eol - 1) == '\r')
+			if (strlen(lstore) > 1 && *(eol - 1) == '\r')
 				*(eol - 1) = '\0';
 			else
 				*eol = '\0';
-- 
cgit v1.2.3-54-g00ecf