On 06/14/2010 09:46 PM, Wesley Craig wrote:
Seems like a reasonable suggestion. Where was it reported, exactly?
These are patches from an experimental Debian build which can be found here:
https://mail.incase.de/svn/cyrus22/branches/cyrus23/cyrus-imapd-2.3-hmh/
These package builds have been languishing for years as no one in the
Debian cyrus-devel group currently has time to work on them.
Previously, they were stalled because of concerns about how to migrate
people automatically from 2.1.x and 2.2.x.
Because of all this cyrus is being abandoned by people using
debian/Ubuntu. After a month of testing (I use both cyrus and dovecot
on different servers), I've determined that cyrus is still a better
solution than dovecot in many situations and have taken on the task of
trying to get these packages up to production quality for distribution.
One of the tasks is going through dozens of patches (some involving
security issues) which have been around for years.
Right now I'm scratching my head over this one, as both these values
seem kind of arbitrary:
~/imap/imapparse.c
line 53:
- MAXLITERAL = INT_MAX / 20
+ MAXLITERAL = INT_MAX / 10
The only place MAXLITERAL is used is here (line 156):
-------------------------------------------------
/* Literal */
isnowait = 0;
buf->s[0] = '\0';
while ((c = prot_getc(pin)) != EOF && isdigit(c)) {
sawdigit = 1;
len = len*10 + c - '0';
if (len > MAXLITERAL || len < 0) {
/* we overflowed */
fatal("literal too big", EC_IOERR);
}
}
