diff options
author |  Timo Sirainen <tss@iki.fi> | 2003-03-25 03:05:40 +0800 |
---|---|---|
committer | Jeffrey Stedfast <fejj@src.gnome.org> | 2003-03-25 03:05:40 +0800 |
commit | a7239ab18f7d65006c7e12377c6a94c944fbae36 (patch) | |
tree | 3091acda0d6ad800bf3f8930f37df96139aa836a | |
parent | 9125d276f3d9f7ad503d6284aa32f896d43b899e (diff) | |
download | gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.gz gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.tar.zst gsoc2013-evolution-a7239ab18f7d65006c7e12377c6a94c944fbae36.zip |
camel-imap-command.c (imap_read_untagged) Integer overflow fix. If server
2003-03-24 Timo Sirainen <tss@iki.fi>
* camel-imap-command.c (imap_read_untagged) Integer overflow fix.
If server sent a huge literal length, only a few bytes of memory
was allocated to it, but server could write as much data there as
it wanted.
svn path=/trunk/; revision=20484
-rw-r--r-- | camel/ChangeLog | 7 | ||||
-rw-r--r-- | camel/providers/imap/camel-imap-command.c | 5 |
2 files changed, 10 insertions, 2 deletions
diff --git a/camel/ChangeLog b/camel/ChangeLog index db9c0d67e4..a52ee43c6e 100644 --- a/camel/ChangeLog +++ b/camel/ChangeLog @@ -1,3 +1,10 @@ +2003-03-24 Timo Sirainen <tss@iki.fi> + + * camel-imap-command.c (imap_read_untagged) Integer overflow fix. + If server sent a huge literal length, only a few bytes of memory + was allocated to it, but server could write as much data there as + it wanted. + 2003-03-21 Jeffrey Stedfast <fejj@ximian.com> Camel part of the fix for Lewing's bug #39204. Second half of the diff --git a/camel/providers/imap/camel-imap-command.c b/camel/providers/imap/camel-imap-command.c index 550bd8ba53..84cf16bd2a 100644 --- a/camel/providers/imap/camel-imap-command.c +++ b/camel/providers/imap/camel-imap-command.c @@ -415,7 +415,8 @@ imap_read_response (CamelImapStore *store, CamelException *ex) static char * imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex) { - int fulllen, length, ldigits, nread, i; + int fulllen, ldigits, nread, i; + unsigned int length; GPtrArray *data; GString *str; char *end, *p, *s, *d; @@ -438,7 +439,7 @@ imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex) break; length = strtoul (p + 1, &end, 10); - if (*end != '}' || *(end + 1) || end == p + 1) + if (*end != '}' || *(end + 1) || end == p + 1 || length >= UINT_MAX - 2) break; ldigits = end - (p + 1); |