diff options
author | ÃÂ Timo SirainenÃÂ <tss@iki.fi> | 2003-03-25 03:05:40 +0800 |
---|---|---|
committer | Jeffrey Stedfast <fejj@src.gnome.org> | 2003-03-25 03:05:40 +0800 |
commit | a7239ab18f7d65006c7e12377c6a94c944fbae36 (patch) | |
tree | 3091acda0d6ad800bf3f8930f37df96139aa836a /camel/providers | |
parent | 9125d276f3d9f7ad503d6284aa32f896d43b899e (diff) | |
download | gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.gz gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.bz2 gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.lz gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.xz gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.zst gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.zip |
camel-imap-command.c (imap_read_untagged) Integer overflow fix. If server
2003-03-24ÃÂ Timo SirainenÃÂ <tss@iki.fi>
* camel-imap-command.c (imap_read_untagged) Integer overflow fix.
If server sent a huge literal length, only a few bytes of memory
was allocated to it, but server could write as much data there as
it wanted.
svn path=/trunk/; revision=20484
Diffstat (limited to 'camel/providers')
-rw-r--r-- | camel/providers/imap/camel-imap-command.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/camel/providers/imap/camel-imap-command.c b/camel/providers/imap/camel-imap-command.c index 550bd8ba53..84cf16bd2a 100644 --- a/camel/providers/imap/camel-imap-command.c +++ b/camel/providers/imap/camel-imap-command.c @@ -415,7 +415,8 @@ imap_read_response (CamelImapStore *store, CamelException *ex) static char * imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex) { - int fulllen, length, ldigits, nread, i; + int fulllen, ldigits, nread, i; + unsigned int length; GPtrArray *data; GString *str; char *end, *p, *s, *d; @@ -438,7 +439,7 @@ imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex) break; length = strtoul (p + 1, &end, 10); - if (*end != '}' || *(end + 1) || end == p + 1) + if (*end != '}' || *(end + 1) || end == p + 1 || length >= UINT_MAX - 2) break; ldigits = end - (p + 1); |