From 87c2ac1cc9382a22f4581294fbcf299a797e4f37 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Wed, 29 Dec 2021 21:50:26 +0100 Subject: [PATCH] reserve enough UID ranges in imap_load_box() in certain configurations, under very unlikely conditions (which are practically impossible to control remotely), we'd overflow ranges[]. in a typical gcc build, the values (which are also practically impossible to control remotely) would be written at the end of buf[], which would be rather harmless, as only a tiny part of buf is used subsequently. so i'm not classifying this as a security issue. amends 77acc268. --- src/drv_imap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index c5a7aed..1db5993 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -2883,7 +2883,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu if (maxuid == UINT_MAX) maxuid = ctx->uidnext - 1; if (maxuid >= minuid) { - imap_range_t ranges[3]; + imap_range_t ranges[4]; ranges[0].first = minuid; ranges[0].last = maxuid; ranges[0].flags = 0;