From: Richard Russon Date: Thu, 9 May 2019 15:17:10 +0000 (+0100) Subject: check value of 'Content-Length' more carefully X-Git-Tag: 2019-10-25~216^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=02c7fbdecd51e3c82b78b0be442fa9a9edf02d27;p=neomutt check value of 'Content-Length' more carefully Replace `atol()` with `mutt_str_atol()` which has error checking. Cap the maximum size to 1GiB. If we exceed this your email to TOO BIG! --- diff --git a/email/parse.c b/email/parse.c index 4b1b8f187..86e542625 100644 --- a/email/parse.c +++ b/email/parse.c @@ -48,6 +48,10 @@ #include "rfc2231.h" #include "url.h" +/* If the 'Content-Length' is bigger than 1GiB, then it's clearly wrong. + * Cap the value to prevent overflow of Body.length */ +#define CONTENT_TOO_BIG (1 << 30) + /** * mutt_auto_subscribe - Check if user is subscribed to mailing list * @param mailto URI of mailing list subscribe @@ -593,9 +597,11 @@ int mutt_rfc822_parse_line(struct Envelope *env, struct Email *e, char *line, { if (e) { - e->content->length = atol(p); - if (e->content->length < 0) + int rc = mutt_str_atol(p, &e->content->length); + if ((rc < 0) || (e->content->length < 0)) e->content->length = -1; + if (e->content->length > CONTENT_TOO_BIG) + e->content->length = CONTENT_TOO_BIG; } matched = true; }