Validate startPos parameter in UriParser.parseUri() implementations

app/core/src/main/java/com/fsck/k9/message/html/GenericUriParser.kt

@@ -9,6 +9,8 @@ import java.util.regex.Pattern
  */
 class GenericUriParser : UriParser {
     override fun parseUri(text: CharSequence, startPos: Int): UriMatch? {
+        require(startPos in text.indices) { "Invalid 'startPos' value" }
+
         val matcher = PATTERN.matcher(text)
         if (!matcher.find(startPos) || matcher.start() != startPos) return null
 

app/core/src/main/java/com/fsck/k9/message/html/HttpUriParser.kt

@@ -11,6 +11,8 @@ import kotlin.math.min
  */
 internal class HttpUriParser : UriParser {
     override fun parseUri(text: CharSequence, startPos: Int): UriMatch? {
+        require(startPos in text.indices) { "Invalid 'startPos' value" }
+
         val matchResult = SCHEME_REGEX.find(text, startPos) ?: return null
         if (matchResult.range.first != startPos) return null
 

app/core/src/test/java/com/fsck/k9/message/html/GenericUriParserTest.kt

@@ -1,7 +1,10 @@
 package com.fsck.k9.message.html
 
 import assertk.assertThat
+import assertk.assertions.hasMessage
 import assertk.assertions.isEqualTo
+import assertk.assertions.isFailure
+import assertk.assertions.isInstanceOf
 import kotlin.test.assertNotNull
 import org.junit.Test
 
@@ -62,6 +65,24 @@ class GenericUriParserTest {
         assertUriValid("matrix:roomid/rid:example.org/event/lol823y4bcp3qo4?via=example2.org")
     }
 
+    @Test
+    fun `negative 'startPos' value`() {
+        assertThat {
+            parser.parseUri("test", -1)
+        }.isFailure()
+            .isInstanceOf(IllegalArgumentException::class)
+            .hasMessage("Invalid 'startPos' value")
+    }
+
+    @Test
+    fun `out of bounds 'startPos' value`() {
+        assertThat {
+            parser.parseUri("test", 4)
+        }.isFailure()
+            .isInstanceOf(IllegalArgumentException::class)
+            .hasMessage("Invalid 'startPos' value")
+    }
+
     private fun assertUriValid(input: String) {
         val result = parser.parseUri(input, 0)
 

app/core/src/test/java/com/fsck/k9/message/html/HttpUriParserTest.kt

@@ -1,7 +1,10 @@
 package com.fsck.k9.message.html
 
 import assertk.assertThat
+import assertk.assertions.hasMessage
 import assertk.assertions.isEqualTo
+import assertk.assertions.isFailure
+import assertk.assertions.isInstanceOf
 import assertk.assertions.isNotNull
 import assertk.assertions.isNull
 import org.junit.Test
@@ -282,6 +285,24 @@ class HttpUriParserTest {
         assertUriMatch("https://domain.example/path", uriMatch, 6)
     }
 
+    @Test
+    fun `negative 'startPos' value`() {
+        assertThat {
+            parser.parseUri("test", -1)
+        }.isFailure()
+            .isInstanceOf(IllegalArgumentException::class)
+            .hasMessage("Invalid 'startPos' value")
+    }
+
+    @Test
+    fun `out of bounds 'startPos' value`() {
+        assertThat {
+            parser.parseUri("test", 4)
+        }.isFailure()
+            .isInstanceOf(IllegalArgumentException::class)
+            .hasMessage("Invalid 'startPos' value")
+    }
+
     private fun assertValidUri(uri: String) {
         val uriMatch = parser.parseUri(uri, 0)