aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--camel/ChangeLog7
-rw-r--r--camel/providers/imap/camel-imap-command.c5
2 files changed, 10 insertions, 2 deletions
diff --git a/camel/ChangeLog b/camel/ChangeLog
index db9c0d67e4..a52ee43c6e 100644
--- a/camel/ChangeLog
+++ b/camel/ChangeLog
@@ -1,3 +1,10 @@
+2003-03-24  Timo Sirainen  <tss@iki.fi>
+
+ * camel-imap-command.c (imap_read_untagged) Integer overflow fix.
+ If server sent a huge literal length, only a few bytes of memory
+ was allocated to it, but server could write as much data there as
+ it wanted.
+
2003-03-21 Jeffrey Stedfast <fejj@ximian.com>
Camel part of the fix for Lewing's bug #39204. Second half of the
diff --git a/camel/providers/imap/camel-imap-command.c b/camel/providers/imap/camel-imap-command.c
index 550bd8ba53..84cf16bd2a 100644
--- a/camel/providers/imap/camel-imap-command.c
+++ b/camel/providers/imap/camel-imap-command.c
@@ -415,7 +415,8 @@ imap_read_response (CamelImapStore *store, CamelException *ex)
static char *
imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex)
{
- int fulllen, length, ldigits, nread, i;
+ int fulllen, ldigits, nread, i;
+ unsigned int length;
GPtrArray *data;
GString *str;
char *end, *p, *s, *d;
@@ -438,7 +439,7 @@ imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex)
break;
length = strtoul (p + 1, &end, 10);
- if (*end != '}' || *(end + 1) || end == p + 1)
+ if (*end != '}' || *(end + 1) || end == p + 1 || length >= UINT_MAX - 2)
break;
ldigits = end - (p + 1);