fix read beyond end of input in copy_msg_convert()
the input isn't necessarily null-terminated (it currently is for imap,
but not for maildir), so if the message ended somewhere within the
header field name, we'd read beyond its end, which theoretically could
cause a crash. no other adverse effects could result, as we'd stop
processing such a broken message right afterwards.
amends 70bad661
.
This commit is contained in:
parent
127003ee37
commit
51673214ab
|
@ -428,9 +428,10 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t *vars, int t )
|
||||||
if (!vars->minimal)
|
if (!vars->minimal)
|
||||||
goto oke;
|
goto oke;
|
||||||
} else {
|
} else {
|
||||||
if (break2 == UINT_MAX && vars->minimal && !strncasecmp( in_buf + start, "Subject:", 8 )) {
|
if (break2 == UINT_MAX && vars->minimal &&
|
||||||
|
starts_with_upper( in_buf + start, (int)(in_len - start), "SUBJECT:", 8 )) {
|
||||||
break2 = start + 8;
|
break2 = start + 8;
|
||||||
if (in_buf[break2] == ' ')
|
if (break2 < in_len && in_buf[break2] == ' ')
|
||||||
break2++;
|
break2++;
|
||||||
}
|
}
|
||||||
lines++;
|
lines++;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user