mirror of
https://git.freebsd.org/ports.git
synced 2025-06-23 05:30:31 -04:00
8800d58526
Obtained from: https://cyrus.foundation/cyrus-imapd/patch/?id=745e161c834f1eb6d62fc14477f51dae799e1e08, https://cyrus.foundation/cyrus-imapd/patch/?id=6fb6a272171f49c79ba6ab7c6403eb25b39ec1b2 MFH: 2015Q4 Security: d62ec98e-97d8-11e5-8c0e-080027b00c2e
40 lines
1.2 KiB
Text
40 lines
1.2 KiB
Text
From 745e161c834f1eb6d62fc14477f51dae799e1e08 Mon Sep 17 00:00:00 2001
|
|
From: ellie timoney <ellie@fastmail.com>
|
|
Date: Mon, 26 Oct 2015 16:15:40 +1100
|
|
Subject: urlfetch: protect against overflow in range checks
|
|
|
|
|
|
--- imap/index.c.orig 2015-07-06 03:38:29 UTC
|
|
+++ imap/index.c
|
|
@@ -2712,7 +2712,8 @@ int index_urlfetch(struct index_state *s
|
|
int fetchmime = 0, domain = DOMAIN_7BIT;
|
|
unsigned size;
|
|
int32_t skip = 0;
|
|
- int n, r = 0;
|
|
+ unsigned long n;
|
|
+ int r = 0;
|
|
char *decbuf = NULL;
|
|
struct mailbox *mailbox = state->mailbox;
|
|
struct index_map *im = &state->map[msgno-1];
|
|
@@ -2849,7 +2850,7 @@ int index_urlfetch(struct index_state *s
|
|
start_octet = size;
|
|
n = 0;
|
|
}
|
|
- else if (start_octet + n > size) {
|
|
+ else if (start_octet + n < start_octet || start_octet + n > size) {
|
|
n = size - start_octet;
|
|
}
|
|
|
|
@@ -2861,10 +2862,10 @@ int index_urlfetch(struct index_state *s
|
|
|
|
if (domain == DOMAIN_BINARY) {
|
|
/* Write size of literal8 */
|
|
- prot_printf(pout, " ~{%u}\r\n", n);
|
|
+ prot_printf(pout, " ~{%lu}\r\n", n);
|
|
} else {
|
|
/* Write size of literal */
|
|
- prot_printf(pout, " {%u}\r\n", n);
|
|
+ prot_printf(pout, " {%lu}\r\n", n);
|
|
}
|
|
}
|
|
|