Fix QRESYNC crash after a large number of VANISHED messages

When handling QRESYNC vanished, imap_expunge_mailbox() was called to
empty out the messages.  Various counters, including vcount are
updated by the mx_update_tables() after the expunge.

These counters need to be reset, because mx_update_context() will do
so once again at the end of reading new headers.  This can cause an
out of bounds access in v2r.

diff --git a/imap/message.c b/imap/message.c
index 209d23437766ae584c30923c04b943e55a7e0c46..93ed4c8a7beb0bc5aa3226f1490d9a97212570d7 100644 (file)
--- a/imap/message.c
+++ b/imap/message.c
@@ -967,6 +967,17 @@ static int read_headers_condstore_qresync_updates(struct ImapAccountData *adata,
   {
     imap_hcache_close(mdata);
     imap_expunge_mailbox(m);
+
+    /* undo expunge count updates.
+     * mx_update_context() will do this at the end of the header fetch. */
+    m->vcount = 0;
+    m->msg_tagged = 0;
+    m->msg_deleted = 0;
+    m->msg_new = 0;
+    m->msg_unread = 0;
+    m->msg_flagged = 0;
+    m->changed = 0;
+
     mdata->hcache = imap_hcache_open(adata, mdata);
     mdata->reopen &= ~IMAP_EXPUNGE_PENDING;
   }