Fix mfc overflow check and uninitialized variable.

The check borrowed from mx_alloc_memory() works because it is
incremented 25 at a time.  I don't believe it will work for the direct
set case used in imap_alloc_msn_index().  Instead, use a more
conservative check.

In imap_read_headers(), make sure mfhrc is initialized.  It would be
tested without being set if imap_cmd_step() returned OK right away.

diff --git a/imap/message.c b/imap/message.c
index 95edcfe21cf550ff2cdd54f2dd52641c7f372bc4..ef3a661799f8f34800e8481df6357e808a428926 100644 (file)
--- a/imap/message.c
+++ b/imap/message.c
@@ -76,16 +76,19 @@ static void imap_alloc_msn_index (IMAP_DATA *idata, unsigned int msn_count)
   if (msn_count <= idata->msn_index_size)
     return;
 
-  /* Add a little padding, like mx_allloc_memory() */
-  new_size = msn_count + 25;
-
-  if (new_size * sizeof (HEADER *) < idata->msn_index_size * sizeof (HEADER *))
+  /* This is a conservative check to protect against a malicious imap
+   * server.  Most likely size_t is bigger than an unsigned int, but
+   * if msn_count is this big, we have a serious problem. */
+  if (msn_count >= (UINT_MAX / sizeof (HEADER *)))
   {
     mutt_error _("Integer overflow -- can't allocate memory.");
     sleep (1);
     mutt_exit (1);
   }
 
+  /* Add a little padding, like mx_allloc_memory() */
+  new_size = msn_count + 25;
+
   if (!idata->msn_index)
     idata->msn_index = safe_calloc (new_size, sizeof (HEADER *));
   else
@@ -167,7 +170,7 @@ int imap_read_headers (IMAP_DATA* idata, unsigned int msn_begin, unsigned int ms
   int msgno, idx;
   IMAP_HEADER h;
   IMAP_STATUS* status;
-  int rc, mfhrc, oldmsgcount;
+  int rc, mfhrc = 0, oldmsgcount;
   int fetch_msn_end = 0;
   unsigned int maxuid = 0;
   static const char * const want_headers = "DATE FROM SUBJECT TO CC MESSAGE-ID REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO LINES LIST-POST X-LABEL";