From 586a5180287262070637c8943f2f7efd652e4a2c Mon Sep 17 00:00:00 2001
From: Steven Morgan <stevmorg@cisco.com>
Date: Thu, 2 Mar 2017 14:41:20 -0500
Subject: [PATCH] bb11797 - fix invalid read in fuzzed mail file.

---
 libclamav/message.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libclamav/message.c b/libclamav/message.c
index b5cf0ddc7..36bbf417d 100644
--- a/libclamav/message.c
+++ b/libclamav/message.c
@@ -445,8 +445,12 @@ messageAddArgument(message *m, const char *arg)
 			 * FIXME: Bounce message handling is corrupting the in
 			 * core copies of headers
 			 */
-			cli_dbgmsg("Possible data corruption fixed\n");
-			p[8] = '=';
+                        if (strlen(p) > 8) {
+                            cli_dbgmsg("Possible data corruption fixed\n");
+                            p[8] = '=';
+                        } else {
+                            cli_dbgmsg("Possible data corruption not fixed\n");
+                        }
 		} else {
 			if(*p)
 				cli_dbgmsg("messageAddArgument, '%s' contains no '='\n", p);
@@ -682,7 +686,7 @@ messageFindArgument(const message *m, const char *variable)
 				cli_dbgmsg("messageFindArgument: no '=' sign found in MIME header '%s' (%s)\n", variable, messageGetArgument(m, i));
 				return NULL;
 			}
-			if((*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
+			if((strlen(ptr) > 2) && (*++ptr == '"') && (strchr(&ptr[1], '"') != NULL)) {
 				/* Remove any quote characters */
 				char *ret = cli_strdup(++ptr);
 				char *p;