sms-part: don't read out of the pdu buffer

... or Valgrind will complain:

==4834== Invalid read of size 1
==4834==    at 0x43904C: mm_sms_part_new_from_binary_pdu (mm-sms-part.c:783)
==4834==    by 0x4382C9: mm_sms_part_new_from_pdu (mm-sms-part.c:485)
==4834==    by 0x461D85: sms_pdu_part_list_ready (mm-broadband-modem.c:5004)
==4834==    by 0x3161A6CFB6: g_simple_async_result_complete (in /usr/lib64/libgio-2.0.so.0.3200.4)
==4834==    by 0x432F82: at_command_parse_response (mm-base-modem-at.c:490)
==4834==    by 0x489F96: handle_response (mm-at-serial-port.c:161)
==4834==    by 0x486D0A: mm_serial_port_got_response (mm-serial-port.c:588)
==4834==    by 0x48758B: data_available (mm-serial-port.c:804)
==4834==    by 0x36ADC47694: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3200.4)
==4834==    by 0x36ADC479C7: ??? (in /usr/lib64/libglib-2.0.so.0.3200.4)
==4834==    by 0x36ADC47DC1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3200.4)
==4834==    by 0x421398: main (main.c:150)
==4834==  Address 0x927e489 is 0 bytes after a block of size 25 alloc'd
==4834==    at 0x4A06F18: calloc (vg_replace_malloc.c:566)
==4834==    by 0x36ADC4D2C6: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.3200.4)
==4834==    by 0x4844B2: utils_hexstr2bin (mm-utils.c:63)
==4834==    by 0x438284: mm_sms_part_new_from_pdu (mm-sms-part.c:476)
==4834==    by 0x461D85: sms_pdu_part_list_ready (mm-broadband-modem.c:5004)
==4834==    by 0x3161A6CFB6: g_simple_async_result_complete (in /usr/lib64/libgio-2.0.so.0.3200.4)
==4834==    by 0x432F82: at_command_parse_response (mm-base-modem-at.c:490)
==4834==    by 0x489F96: handle_response (mm-at-serial-port.c:161)
==4834==    by 0x486D0A: mm_serial_port_got_response (mm-serial-port.c:588)
==4834==    by 0x48758B: data_available (mm-serial-port.c:804)
==4834==    by 0x36ADC47694: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3200.4)
==4834==    by 0x36ADC479C7: ??? (in /usr/lib64/libglib-2.0.so.0.3200.4)

1 files changed, 5 insertions, 1 deletions

diff --git a/src/mm-sms-part.c b/src/mm-sms-part.c
index a6b06ced..95c41264 100644
--- a/src/mm-sms-part.c
+++ b/src/mm-sms-part.c
@@ -767,7 +767,7 @@ mm_sms_part_new_from_binary_pdu (guint index,
             udhl = pdu[tp_user_data_offset] + 1;
             end = tp_user_data_offset + udhl;
 
-            for (offset = tp_user_data_offset + 1; offset < end;) {
+            for (offset = tp_user_data_offset + 1; (offset + 1) < end;) {
                 guint8 ie_id, ie_len;
 
                 ie_id = pdu[offset++];
@@ -775,6 +775,8 @@ mm_sms_part_new_from_binary_pdu (guint index,
 
                 switch (ie_id) {
                 case 0x00:
+                    if (offset + 2 >= end)
+                        break;
                     /*
                      * Ignore the IE if one of the following is true:
                      *  - it claims to be part 0 of M
@@ -789,6 +791,8 @@ mm_sms_part_new_from_binary_pdu (guint index,
                     mm_sms_part_set_concat_sequence (sms_part, pdu[offset + 2]);
                     break;
                 case 0x08:
+                    if (offset + 3 >= end)
+                        break;
                     /* Concatenated short message, 16-bit reference */
                     if (pdu[offset + 3] == 0 ||
                         pdu[offset + 3] > pdu[offset + 2])