aboutsummaryrefslogtreecommitdiffstats
path: root/camel/providers
diff options
context:
space:
mode:
author  Timo Sirainen  <tss@iki.fi>2003-03-25 03:05:40 +0800
committerJeffrey Stedfast <fejj@src.gnome.org>2003-03-25 03:05:40 +0800
commita7239ab18f7d65006c7e12377c6a94c944fbae36 (patch)
tree3091acda0d6ad800bf3f8930f37df96139aa836a /camel/providers
parent9125d276f3d9f7ad503d6284aa32f896d43b899e (diff)
downloadgsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar
gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.gz
gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.bz2
gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.lz
gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.xz
gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.zst
gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.zip
camel-imap-command.c (imap_read_untagged) Integer overflow fix. If server
2003-03-24  Timo Sirainen  <tss@iki.fi> * camel-imap-command.c (imap_read_untagged) Integer overflow fix. If server sent a huge literal length, only a few bytes of memory was allocated to it, but server could write as much data there as it wanted. svn path=/trunk/; revision=20484
Diffstat (limited to 'camel/providers')
-rw-r--r--camel/providers/imap/camel-imap-command.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/camel/providers/imap/camel-imap-command.c b/camel/providers/imap/camel-imap-command.c
index 550bd8ba53..84cf16bd2a 100644
--- a/camel/providers/imap/camel-imap-command.c
+++ b/camel/providers/imap/camel-imap-command.c
@@ -415,7 +415,8 @@ imap_read_response (CamelImapStore *store, CamelException *ex)
static char *
imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex)
{
- int fulllen, length, ldigits, nread, i;
+ int fulllen, ldigits, nread, i;
+ unsigned int length;
GPtrArray *data;
GString *str;
char *end, *p, *s, *d;
@@ -438,7 +439,7 @@ imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex)
break;
length = strtoul (p + 1, &end, 10);
- if (*end != '}' || *(end + 1) || end == p + 1)
+ if (*end != '}' || *(end + 1) || end == p + 1 || length >= UINT_MAX - 2)
break;
ldigits = end - (p + 1);