Browse Source

reserve enough UID ranges in imap_load_box()

in certain configurations, under very unlikely conditions (which are
practically impossible to control remotely), we'd overflow ranges[].
in a typical gcc build, the values (which are also practically
impossible to control remotely) would be written at the end of buf[],
which would be rather harmless, as only a tiny part of buf is used
subsequently. so i'm not classifying this as a security issue.

amends 77acc268.
wip/maildir-path-under-inbox
Oswald Buddenhagen 3 years ago
parent
commit
87c2ac1cc9
  1. 2
      src/drv_imap.c

2
src/drv_imap.c

@ -2883,7 +2883,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu
if (maxuid == UINT_MAX) if (maxuid == UINT_MAX)
maxuid = ctx->uidnext - 1; maxuid = ctx->uidnext - 1;
if (maxuid >= minuid) { if (maxuid >= minuid) {
imap_range_t ranges[3]; imap_range_t ranges[4];
ranges[0].first = minuid; ranges[0].first = minuid;
ranges[0].last = maxuid; ranges[0].last = maxuid;
ranges[0].flags = 0; ranges[0].flags = 0;

Loading…
Cancel
Save