From 6b22c837f6aea82079db91c10220e4fae77a31e2 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Wed, 29 Dec 2021 21:55:53 +0100 Subject: [PATCH] overflow-check ranges[] in imap_set_range() amends 3d64f167. --- src/drv_imap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index 1db5993..fb8d165 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -2819,6 +2819,8 @@ typedef struct { int flags; } imap_range_t; +#define MAX_RANGES 4 + static void imap_set_range( imap_range_t *ranges, uint *nranges, int low_flags, int high_flags, uint maxlow ) { @@ -2830,6 +2832,8 @@ imap_set_range( imap_range_t *ranges, uint *nranges, int low_flags, int high_fla continue; /* Range ends below split point; try next one. */ if (ranges[r].last != maxlow) { /* Range does not end exactly at split point; need to split. */ + if (*nranges == MAX_RANGES) + oob(); memmove( &ranges[r + 1], &ranges[r], ((*nranges)++ - r) * sizeof(*ranges) ); ranges[r].last = maxlow; ranges[r + 1].first = maxlow + 1; @@ -2883,7 +2887,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu if (maxuid == UINT_MAX) maxuid = ctx->uidnext - 1; if (maxuid >= minuid) { - imap_range_t ranges[4]; + imap_range_t ranges[MAX_RANGES]; ranges[0].first = minuid; ranges[0].last = maxuid; ranges[0].flags = 0;