Verify IMAP status mailbox literal count size.

Ensure the length isn't bigger than the idata->buf.

Thanks to Jeriko One fo the bug report and patch, which this commit is
based upon.

diff --git a/imap/command.c b/imap/command.c
index bb267f623ed5b0e23da9d84200efd574277c09e8..6abd759d39abccecd3c3935a49e6b12b39c3fe20 100644 (file)
--- a/imap/command.c
+++ b/imap/command.c
@@ -969,6 +969,13 @@ static void cmd_parse_status (IMAP_DATA* idata, char* s)
       idata->status = IMAP_FATAL;
       return;
     }
+
+    if (strlen(idata->buf) < litlen)
+    {
+      dprint (1, (debugfile, "Error parsing STATUS mailbox\n"));
+      return;
+    }
+
     mailbox = idata->buf;
     s = mailbox + litlen;
     *s = '\0';