fix hypothetical buffer overflows

if something managed to make the maildir .uidvalidity files big enough (possible only by appending garbage or scrambling them alltogether), we would overflow the read buffer by one when appending the terminating null. this is not expected to have any real-world impact. found by coverity.
2014-04-12 13:03:46 +02:00 · 2014-04-12 13:03:46 +02:00 · d34baeb886
commit d34baeb886
parent df29c592d1
2 changed files with 2 additions and 2 deletions
--- a/src/drv_maildir.c
+++ b/src/drv_maildir.c
@ -496,7 +496,7 @@ maildir_uidval_lock( maildir_store_t *ctx )
 		return DRV_BOX_BAD;
 	}
 	lseek( ctx->uvfd, 0, SEEK_SET );
-	if ((n = read( ctx->uvfd, buf, sizeof(buf) )) <= 0 ||
+	if ((n = read( ctx->uvfd, buf, sizeof(buf) - 1 )) <= 0 ||
 	    (buf[n] = 0, sscanf( buf, "%d\n%d", &ctx->gen.uidvalidity, &ctx->nuid ) != 2)) {
 #if 1
 		/* In a generic driver, resetting the UID validity would be the right thing.
--- a/src/mdconvert.c
+++ b/src/mdconvert.c
@ -135,7 +135,7 @@ convert( const char *box, int altmap )
 	key.data = (void *)"UIDVALIDITY";
 	key.size = 11;
 	if (altmap) {
-		if ((n = read( sfd, buf, sizeof(buf) )) <= 0 ||
+		if ((n = read( sfd, buf, sizeof(buf) - 1 )) <= 0 ||
 		    (buf[n] = 0, sscanf( buf, "%d\n%d", &uv[0], &uv[1] ) != 2))
 		{
 			fprintf( stderr, "Error: cannot read UIDVALIDITY of '%s'.\n", box );