next_arg() returns NULL if it runs out of arguments. Most call sites already handle that gracefully. Check in the remaining cases as well. Replace the NULL pointer with an empty string at the bottom of get_cmd_result() -- it's nicely reported as an unexpected response a few lines down. Error out explicitly at the remaining sites. Signed-off-by: Rene Scharfe <l.s.r@xxxxxx> --- imap-send.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/imap-send.c b/imap-send.c index 8c785f3ca2..0031566309 100644 --- a/imap-send.c +++ b/imap-send.c @@ -693,6 +693,10 @@ static int parse_response_code(struct imap_store *ctx, struct imap_cmd_cb *cb, } *p++ = 0; arg = next_arg(&s); + if (!arg) { + fprintf(stderr, "IMAP error: empty response code\n"); + return RESP_BAD; + } if (!strcmp("UIDVALIDITY", arg)) { if (!(arg = next_arg(&s)) || !(ctx->uidvalidity = atoi(arg))) { fprintf(stderr, "IMAP error: malformed UIDVALIDITY status\n"); @@ -725,7 +729,8 @@ static int get_cmd_result(struct imap_store *ctx, struct imap_cmd *tcmd) { struct imap *imap = ctx->imap; struct imap_cmd *cmdp, **pcmdp; - char *cmd, *arg, *arg1; + char *cmd; + const char *arg, *arg1; int n, resp, resp2, tag; for (;;) { @@ -733,6 +738,10 @@ static int get_cmd_result(struct imap_store *ctx, struct imap_cmd *tcmd) return RESP_BAD; arg = next_arg(&cmd); + if (!arg) { + fprintf(stderr, "IMAP error: empty response\n"); + return RESP_BAD; + } if (*arg == '*') { arg = next_arg(&cmd); if (!arg) { @@ -807,6 +816,8 @@ static int get_cmd_result(struct imap_store *ctx, struct imap_cmd *tcmd) if (cmdp->cb.cont || cmdp->cb.data) imap->literal_pending = 0; arg = next_arg(&cmd); + if (!arg) + arg = ""; if (!strcmp("OK", arg)) resp = DRV_OK; else { -- 2.15.0