Don't overflow tmp in msg_parse_fetch.

Ensure INTERNALDATE and RFC822.SIZE field sizes fit temp buffer.

Thanks to Jeriko One for the bug report and patch, which this patch is
based upon.

diff --git a/imap/message.c b/imap/message.c
index 9ebfeb8ee6b95cf4bc33495da54612f33e8d6a4a..e6056555510c4fc5760be9b5b0353b12239e74ad 100644 (file)
--- a/imap/message.c
+++ b/imap/message.c
@@ -1345,6 +1345,7 @@ static int msg_parse_fetch (IMAP_HEADER *h, char *s)
 {
   char tmp[SHORT_STRING];
   char *ptmp;
+  size_t dlen;
 
   if (!s)
     return -1;
@@ -1378,8 +1379,12 @@ static int msg_parse_fetch (IMAP_HEADER *h, char *s)
       }
       s++;
       ptmp = tmp;
-      while (*s && *s != '\"')
+      dlen = sizeof(tmp) - 1;
+      while (*s && *s != '\"' && dlen)
+      {
         *ptmp++ = *s++;
+        dlen--;
+      }
       if (*s != '\"')
         return -1;
       s++; /* skip past the trailing " */
@@ -1391,8 +1396,12 @@ static int msg_parse_fetch (IMAP_HEADER *h, char *s)
       s += 11;
       SKIPWS (s);
       ptmp = tmp;
-      while (isdigit ((unsigned char) *s))
+      dlen = sizeof(tmp) - 1;
+      while (isdigit ((unsigned char) *s) && dlen)
+      {
         *ptmp++ = *s++;
+        dlen--;
+      }
       *ptmp = 0;
       if (mutt_atol (tmp, &h->content_length) < 0)
         return -1;