lobo/isync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix read beyond end of input in copy_msg_convert()

Browse Source 
the input isn't necessarily null-terminated (it currently is for imap,
but not for maildir), so if the message ended somewhere within the
header field name, we'd read beyond its end, which theoretically could
cause a crash. no other adverse effects could result, as we'd stop
processing such a broken message right afterwards.

amends 70bad661.
This commit is contained in:
Oswald Buddenhagen 2021-11-26 23:05:30 +01:00
parent 127003ee37
commit 51673214ab
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/sync.c
View File

@ -428,9 +428,10 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t )
if (!vars->minimal) if (!vars->minimal)
goto oke; goto oke;
} else { } else {
if (break2 == UINT_MAX && vars->minimal && !strncasecmp( in_buf + start, "Subject:", 8 )) { if (break2 == UINT_MAX && vars->minimal &&
starts_with_upper( in_buf + start, (int)(in_len - start), "SUBJECT:", 8 )) {
break2 = start + 8; break2 = start + 8;
if (in_buf[break2] == ' ') if (break2 < in_len && in_buf[break2] == ' ')
break2++; break2++;
} }
lines++; lines++;