mapi_lib: restore g_proprow tag set reduction

jengelh · jengelh · commit 9a010a52b372 · 2025-10-17T19:00:15.000+02:00
EXT_PULL::g_recipient_row pulled more bytes off the ROP command
buffer than it should have, and then the parse eventually returned
pack_result::format. (Managed to trigger it with one MAPI_TO and one
MAPI_BCC recipient).

In the caller, `g_recipient_row`, this had changed:

```
-	if (r-&gt;count &gt; pproptags-&gt;count)
+	if (r-&gt;count &gt; tags.size())
		return pack_result::format;
-       proptags.count = r-&gt;count;
```

This is not just an overflow check; one has to realize that r-&gt;count
can legitimately be smaller than tags.size() and that a subset of
tags is passed down from g_recipient_row to g_proprow.

Fixes: gromox-3.0-107-ga2c814f32
References: GXH-181
diff --git a/lib/mapi/ext_buffer.cpp b/lib/mapi/ext_buffer.cpp
@@ -1664,7 +1664,7 @@ pack_result EXT_PULL::g_recipient_row(std::span<const proptag_t> tags, RECIPIENT
 	TRY(g_uint16(&r->count));
 	if (r->count > tags.size())
 		return pack_result::format;
-	return g_proprow(tags, &r->properties);
+	return g_proprow(tags.subspan(0, r->count), &r->properties);
 }
 
 pack_result EXT_PULL::g_modrcpt_row(std::span<const proptag_t> tags, MODIFYRECIPIENT_ROW *r)

Original file line number	Diff line number	Diff line change
`@@ -1664,7 +1664,7 @@ pack_result EXT_PULL::g_recipient_row(std::span<const proptag_t> tags, RECIPIENT`
`1664`	`1664`	`TRY(g_uint16(&r->count));`
`1665`	`1665`	`if (r->count > tags.size())`
`1666`	`1666`	`return pack_result::format;`
`1667`		`- return g_proprow(tags, &r->properties);`
	`1667`	`+ return g_proprow(tags.subspan(0, r->count), &r->properties);`
`1668`	`1668`	`}`
`1669`	`1669`
`1670`	`1670`	`pack_result EXT_PULL::g_modrcpt_row(std::span<const proptag_t> tags, MODIFYRECIPIENT_ROW *r)`