Avoid a potential integer overflow if a Content-Length value is huge.

author Vincent Lefevre <vincent@vinc17.net>

Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)

committer Vincent Lefevre <vincent@vinc17.net>

Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)
author Vincent Lefevre <vincent@vinc17.net>
Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)
committer Vincent Lefevre <vincent@vinc17.net>
Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)
diff --git a/mbox.c b/mbox.c

index 379332732fdebda0a1f7248a760abb6f3943154e..346688323d79436a3efa225c15424936b6d17a77 100644 (file)
--- a/mbox.c
+++ b/mbox.c
@@ -317,7 +317,11 @@ int mbox_parse_mailbox (CONTEXT *ctx)
         LOFF_T tmploc;
  
         loc = ftello (ctx->fp);
-       tmploc = loc + curhdr->content->length + 1;
+
+       /* The test below avoids a potential integer overflow if the
+        * content-length is huge (thus necessarily invalid).
+        */
+       tmploc = curhdr->content->length < ctx->size ? loc + curhdr->content->length + 1 : -1;
  
         if (0 < tmploc && tmploc < ctx->size)
         {
author	Vincent Lefevre <vincent@vinc17.net>
	Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)
committer	Vincent Lefevre <vincent@vinc17.net>
	Wed, 14 Feb 2018 09:33:41 +0000 (10:33 +0100)