From a7239ab18f7d65006c7e12377c6a94c944fbae36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=83=C2=82=C3=82=C2=A0=20Timo=20Sirainen=C3=83=C2=82?= =?UTF-8?q?=C3=82=C2=A0?= Date: Mon, 24 Mar 2003 19:05:40 +0000 Subject: camel-imap-command.c (imap_read_untagged) Integer overflow fix. If server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2003-03-24  Timo Sirainen  * camel-imap-command.c (imap_read_untagged) Integer overflow fix. If server sent a huge literal length, only a few bytes of memory was allocated to it, but server could write as much data there as it wanted. svn path=/trunk/; revision=20484 --- camel/providers/imap/camel-imap-command.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'camel/providers/imap') diff --git a/camel/providers/imap/camel-imap-command.c b/camel/providers/imap/camel-imap-command.c index 550bd8ba53..84cf16bd2a 100644 --- a/camel/providers/imap/camel-imap-command.c +++ b/camel/providers/imap/camel-imap-command.c @@ -415,7 +415,8 @@ imap_read_response (CamelImapStore *store, CamelException *ex) static char * imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex) { - int fulllen, length, ldigits, nread, i; + int fulllen, ldigits, nread, i; + unsigned int length; GPtrArray *data; GString *str; char *end, *p, *s, *d; @@ -438,7 +439,7 @@ imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex) break; length = strtoul (p + 1, &end, 10); - if (*end != '}' || *(end + 1) || end == p + 1) + if (*end != '}' || *(end + 1) || end == p + 1 || length >= UINT_MAX - 2) break; ldigits = end - (p + 1); -- cgit v1.2.3