reserve enough UID ranges in imap_load_box()
in certain configurations, under very unlikely conditions (which are
practically impossible to control remotely), we'd overflow ranges[].
in a typical gcc build, the values (which are also practically
impossible to control remotely) would be written at the end of buf[],
which would be rather harmless, as only a tiny part of buf is used
subsequently. so i'm not classifying this as a security issue.
amends 77acc268
.
This commit is contained in:
parent
bb5e98e9ec
commit
87c2ac1cc9
|
@ -2883,7 +2883,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu
|
||||||
if (maxuid == UINT_MAX)
|
if (maxuid == UINT_MAX)
|
||||||
maxuid = ctx->uidnext - 1;
|
maxuid = ctx->uidnext - 1;
|
||||||
if (maxuid >= minuid) {
|
if (maxuid >= minuid) {
|
||||||
imap_range_t ranges[3];
|
imap_range_t ranges[4];
|
||||||
ranges[0].first = minuid;
|
ranges[0].first = minuid;
|
||||||
ranges[0].last = maxuid;
|
ranges[0].last = maxuid;
|
||||||
ranges[0].flags = 0;
|
ranges[0].flags = 0;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user