Fix IMAP buffer overflow:

  http://www.securityfocus.com/bid/18642

PR:		ports/99613 [1], ports/99610 [2]
Submitted by:	Udo Schweigert <udo.schweigert@siemens.com> (maintainer) [1],
		J.P. Dinger <jpd@vvtp.tudelft.nl> [2]
Approved by:	ahze (mentor)

2 files changed, 29 insertions, 1 deletions

diff --git a/mail/mutt-devel/Makefile b/mail/mutt-devel/Makefile
index 6ea3bbb86aad..dc4a8e6403ef 100644
--- a/mail/mutt-devel/Makefile
+++ b/mail/mutt-devel/Makefile
@@ -107,7 +107,7 @@
 
 PORTNAME=	mutt-devel
 PORTVERSION=	1.5.11
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES+=	mail ipv6
 .if defined(WITH_MUTT_NNTP)
 CATEGORIES+=	news
diff --git a/mail/mutt-devel/files/patch-imap-browse.c b/mail/mutt-devel/files/patch-imap-browse.c
new file mode 100644
index 000000000000..86cda3140e69
--- /dev/null
+++ b/mail/mutt-devel/files/patch-imap-browse.c
@@ -0,0 +1,28 @@
+--- imap/browse.c.orig
++++ imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
+