From 4f279cb2fff3a1423f1a4a35735718d55c501553 Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Tue, 15 May 2018 22:41:58 +0000
Subject: [PATCH] Fix get_msg_header() problem reported by Bill McGarrity:
 "expand fields" could be misinterpretted (e.g. as 'false') if less than 3
 args were passed to the function. Apparently you can NOT assume that
 argv[argc] is undefined and would fail a JSVAL_IS_BOOLEAN test. In the
 reported problem, MsgBase.get_msg_header() was being called with 2 arguments
 (from newslink.js) and the if(JSVAL_IS_BOOLEAN(argv[n])) test, when n was 2,
 would eval to true and then argv[n] evalulated as false, which would cause a
 message with no message ID to not have one dynamically created, which would
 then cause the message to fail to post to an NNTP server due to malformed
 Message-ID (a missing message "id" property would end up being included in
 the newsgropu article header as "Message-ID: undefined").

get_msg_index() had a similar potential issue, also fixed.
---
 src/sbbs3/js_msgbase.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/sbbs3/js_msgbase.c b/src/sbbs3/js_msgbase.c
index e73dc6f726..559db6dc0e 100644
--- a/src/sbbs3/js_msgbase.c
+++ b/src/sbbs3/js_msgbase.c
@@ -926,7 +926,7 @@ js_get_msg_index(JSContext *cx, uintN argc, jsval *arglist)
 	memset(&msg,0,sizeof(msg));
 
 	n=0;
-	if(JSVAL_IS_BOOLEAN(argv[n]))
+	if(n < argc && JSVAL_IS_BOOLEAN(argv[n]))
 		by_offset = JSVAL_TO_BOOLEAN(argv[n++]);
 
 	for(;n<argc;n++) {
@@ -1465,11 +1465,11 @@ js_get_msg_header(JSContext *cx, uintN argc, jsval *arglist)
 
 	p->expand_fields=JS_TRUE;	/* This parameter defaults to true */
 	n=0;
-	if(JSVAL_IS_BOOLEAN(argv[n]))
+	if(n < argc && JSVAL_IS_BOOLEAN(argv[n]))
 		by_offset = JSVAL_TO_BOOLEAN(argv[n++]);
 
 	/* Now parse message offset/id and get message */
-	if(JSVAL_IS_NUMBER(argv[n])) {
+	if(n < argc && JSVAL_IS_NUMBER(argv[n])) {
 		if(by_offset) {							/* Get by offset */
 			if(!JS_ValueToInt32(cx,argv[n++],(int32*)&(p->msg).offset)) {
 				free(p);
@@ -1505,7 +1505,7 @@ js_get_msg_header(JSContext *cx, uintN argc, jsval *arglist)
 
 		smb_unlockmsghdr(&(p->p->smb),&(p->msg)); 
 		JS_RESUMEREQUEST(cx, rc);
-	} else if(JSVAL_IS_STRING(argv[n]))	{		/* Get by ID */
+	} else if(n < argc && JSVAL_IS_STRING(argv[n]))	{		/* Get by ID */
 		JSSTRING_TO_MSTRING(cx, JSVAL_TO_STRING(argv[n]), cstr, NULL);
 		n++;
 		if(JS_IsExceptionPending(cx)) {
@@ -1532,10 +1532,10 @@ js_get_msg_header(JSContext *cx, uintN argc, jsval *arglist)
 		return JS_TRUE;
 	}
 
-	if(JSVAL_IS_BOOLEAN(argv[n]))
+	if(n < argc && JSVAL_IS_BOOLEAN(argv[n]))
 		p->expand_fields = JSVAL_TO_BOOLEAN(argv[n++]);
 
-	if(JSVAL_IS_BOOLEAN(argv[n]))
+	if(n < argc && JSVAL_IS_BOOLEAN(argv[n]))
 		include_votes = JSVAL_TO_BOOLEAN(argv[n++]);
 
 	if(!include_votes && (p->msg.hdr.attr&MSG_VOTE)) {
-- 
GitLab