Fix browse_get_namespace() which could overflow ns[LONG_STRING].

author TAKAHASHI Tamotsu <tamo@momonga-linux.org>

Mon, 19 Jun 2006 18:14:03 +0000 (18:14 +0000)

committer TAKAHASHI Tamotsu <tamo@momonga-linux.org>

Mon, 19 Jun 2006 18:14:03 +0000 (18:14 +0000)
author TAKAHASHI Tamotsu <tamo@momonga-linux.org>
Mon, 19 Jun 2006 18:14:03 +0000 (18:14 +0000)
committer TAKAHASHI Tamotsu <tamo@momonga-linux.org>
Mon, 19 Jun 2006 18:14:03 +0000 (18:14 +0000)
diff --git a/imap/browse.c b/imap/browse.c

index bc2d036c22fd2abbeabf319200005de8be0b738d..43463baf3504595af0b8f1926d9f1757efb19f05 100644 (file)
--- a/imap/browse.c
+++ b/imap/browse.c
@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DATA* idata, char* nsbuf, int nsblen,
             if (*s == '\"')
             {
               s++;
-             while (*s && *s != '\"') 
+             while (*s && *s != '\"' && n < sizeof (ns) - 1) 
               {
                 if (*s == '\\')
                   s++;
@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DATA* idata, char* nsbuf, int nsblen,
                 s++;
             }
             else
-             while (*s && !ISSPACE (*s)) 
+             while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
               {
                 ns[n++] = *s;
                 s++;
               }
             ns[n] = '\0';
+           if (n == sizeof (ns) - 1)
+             dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
             /* delim? */
             s = imap_next_word (s);
             /* delimiter is meaningless if namespace is "". Why does
author	TAKAHASHI Tamotsu <tamo@momonga-linux.org>
	Mon, 19 Jun 2006 18:14:03 +0000 (18:14 +0000)
committer	TAKAHASHI Tamotsu <tamo@momonga-linux.org>
	Mon, 19 Jun 2006 18:14:03 +0000 (18:14 +0000)