2 files changed, 10 insertions, 2 deletions

diff --git a/camel/ChangeLog b/camel/ChangeLog
index db9c0d67e4..a52ee43c6e 100644
--- a/camel/ChangeLog
+++ b/camel/ChangeLog
@@ -1,3 +1,10 @@
+2003-03-24  Timo Sirainen  <tss@iki.fi>
+
+	* camel-imap-command.c (imap_read_untagged) Integer overflow fix.
+	If server sent a huge literal length, only a few bytes of memory
+	was allocated to it, but server could write as much data there as
+	it wanted.
+
 2003-03-21  Jeffrey Stedfast  <fejj@ximian.com>
 
 	Camel part of the fix for Lewing's bug #39204. Second half of the
diff --git a/camel/providers/imap/camel-imap-command.c b/camel/providers/imap/camel-imap-command.c
index 550bd8ba53..84cf16bd2a 100644
--- a/camel/providers/imap/camel-imap-command.c
+++ b/camel/providers/imap/camel-imap-command.c
@@ -415,7 +415,8 @@ imap_read_response (CamelImapStore *store, CamelException *ex)
 static char *
 imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex)
 {
-	int fulllen, length, ldigits, nread, i;
+	int fulllen, ldigits, nread, i;
+	unsigned int length;
 	GPtrArray *data;
 	GString *str;
 	char *end, *p, *s, *d;
@@ -438,7 +439,7 @@ imap_read_untagged (CamelImapStore *store, char *line, CamelException *ex)
 			break;
 		
 		length = strtoul (p + 1, &end, 10);
-		if (*end != '}' || *(end + 1) || end == p + 1)
+		if (*end != '}' || *(end + 1) || end == p + 1 || length >= UINT_MAX - 2)
 			break;
 		ldigits = end - (p + 1);