Avoid a potential integer overflow if a Content-Length value is huge.

author Vincent Lefevre <vincent@vinc17.net>

Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)

committer Richard Russon <rich@flatcap.org>

Tue, 20 Feb 2018 22:04:56 +0000 (22:04 +0000)
author Vincent Lefevre <vincent@vinc17.net>
Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)
committer Richard Russon <rich@flatcap.org>
Tue, 20 Feb 2018 22:04:56 +0000 (22:04 +0000)
diff --git a/mbox.c b/mbox.c

index c4848551c8e8a2a8a7629669b906c3ccfb5645d5..6a29b0df9aeb160b3b4f5f6ae1e08efa5bb7eb44 100644 (file)
--- a/mbox.c
+++ b/mbox.c
@@ -326,7 +326,11 @@ static int mbox_parse_mailbox(struct Context *ctx)
          LOFF_T tmploc;
  
          loc = ftello(ctx->fp);
-        tmploc = loc + curhdr->content->length + 1;
+
+        /* The test below avoids a potential integer overflow if the
+         * content-length is huge (thus necessarily invalid).
+         */
+        tmploc = (curhdr->content->length < ctx->size) ? (loc + curhdr->content->length + 1) : -1;
  
          if ((tmploc > 0) && (tmploc < ctx->size))
          {
author	Vincent Lefevre <vincent@vinc17.net>
	Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)
committer	Richard Russon <rich@flatcap.org>
	Tue, 20 Feb 2018 22:04:56 +0000 (22:04 +0000)