From c3387e839e38f97f0ff4f67ba9eb01f9ead5d07b Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Thu, 30 Mar 2017 21:34:30 +0100
Subject: [PATCH] [Minor] Fix out-of-bound access issues

---
 src/libserver/html.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/libserver/html.c b/src/libserver/html.c
index f33b3a304..abc795fa9 100644
--- a/src/libserver/html.c
+++ b/src/libserver/html.c
@@ -1745,7 +1745,7 @@ rspamd_html_process_style (rspamd_mempool_t *pool, struct html_block *bl,
 	while (p <= end) {
 		switch(state) {
 		case read_key:
-			if (*p == ':') {
+			if (p == end || *p == ':') {
 				key = c;
 				klen = p - c;
 				state = skip_spaces;
@@ -1762,7 +1762,7 @@ rspamd_html_process_style (rspamd_mempool_t *pool, struct html_block *bl,
 			break;
 
 		case read_colon:
-			if (*p == ':') {
+			if (p == end || *p == ':') {
 				state = skip_spaces;
 				next_state = read_value;
 			}
@@ -1771,7 +1771,7 @@ rspamd_html_process_style (rspamd_mempool_t *pool, struct html_block *bl,
 			break;
 
 		case read_value:
-			if (*p == ';' || p == end) {
+			if (p == end || *p == ';') {
 				if (key && klen && p - c > 0) {
 					if ((klen == 5 && g_ascii_strncasecmp (key, "color", 5) == 0)
 					|| (klen == 10 && g_ascii_strncasecmp (key, "font-color", 10) == 0)) {
@@ -1806,7 +1806,7 @@ rspamd_html_process_style (rspamd_mempool_t *pool, struct html_block *bl,
 			break;
 
 		case skip_spaces:
-			if (!g_ascii_isspace (*p)) {
+			if (p < end && !g_ascii_isspace (*p)) {
 				c = p;
 				state = next_state;
 			}
-- 
2.39.5