changeset: 7055:4ab3a8a2e321
user: Kevin McCarthy <[email protected]>
date: Mon May 22 04:43:24 2017 -0700
link: http://dev.mutt.org/hg/mutt/rev/4ab3a8a2e321
Fix mfc overflow check and uninitialized variable.
The check borrowed from mx_alloc_memory() works because it is
incremented 25 at a time. I don't believe it will work for the direct
set case used in imap_alloc_msn_index(). Instead, use a more
conservative check.
In imap_read_headers(), make sure mfhrc is initialized. It would be
tested without being set if imap_cmd_step() returned OK right away.
diffs (36 lines):
diff -r 5904c6376f77 -r 4ab3a8a2e321 imap/message.c
--- a/imap/message.c Sun May 21 18:45:09 2017 -0700
+++ b/imap/message.c Mon May 22 04:43:24 2017 -0700
@@ -76,16 +76,19 @@
if (msn_count <= idata->msn_index_size)
return;
- /* Add a little padding, like mx_allloc_memory() */
- new_size = msn_count + 25;
-
- if (new_size * sizeof (HEADER *) < idata->msn_index_size * sizeof (HEADER *))
+ /* This is a conservative check to protect against a malicious imap
+ * server. Most likely size_t is bigger than an unsigned int, but
+ * if msn_count is this big, we have a serious problem. */
+ if (msn_count >= (UINT_MAX / sizeof (HEADER *)))
{
mutt_error _("Integer overflow -- can't allocate memory.");
sleep (1);
mutt_exit (1);
}
+ /* Add a little padding, like mx_allloc_memory() */
+ new_size = msn_count + 25;
+
if (!idata->msn_index)
idata->msn_index = safe_calloc (new_size, sizeof (HEADER *));
else
@@ -167,7 +170,7 @@
int msgno, idx;
IMAP_HEADER h;
IMAP_STATUS* status;
- int rc, mfhrc, oldmsgcount;
+ int rc, mfhrc = 0, oldmsgcount;
int fetch_msn_end = 0;
unsigned int maxuid = 0;
static const char * const want_headers = "DATE FROM SUBJECT TO CC MESSAGE-ID
REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO LINES
LIST-POST X-LABEL";
