lobo/isync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

reserve enough UID ranges in imap_load_box()

Browse Source 
in certain configurations, under very unlikely conditions (which are
practically impossible to control remotely), we'd overflow ranges[].
in a typical gcc build, the values (which are also practically
impossible to control remotely) would be written at the end of buf[],
which would be rather harmless, as only a tiny part of buf is used
subsequently. so i'm not classifying this as a security issue.

amends 77acc268.
This commit is contained in:
Oswald Buddenhagen 2021-12-29 21:50:26 +01:00
parent bb5e98e9ec
commit 87c2ac1cc9
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/drv_imap.c
View File

@ -2883,7 +2883,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu
if (maxuid == UINT_MAX) if (maxuid == UINT_MAX)
maxuid = ctx->uidnext - 1; maxuid = ctx->uidnext - 1;
if (maxuid >= minuid) { if (maxuid >= minuid) {
imap_range_t ranges[3]; imap_range_t ranges[4];
ranges[0].first = minuid; ranges[0].first = minuid;
ranges[0].last = maxuid; ranges[0].last = maxuid;
ranges[0].flags = 0; ranges[0].flags = 0;