From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
Date: Mon, 19 Jun 2006 18:14:03 +0000 (+0000)
Subject: Fix browse_get_namespace() which could overflow ns[LONG_STRING].
X-Git-Tag: mutt-1-5-12-rel~47
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=52117c5d6b4bd5d0ecc07e48b76fa3911ca650b9;p=mutt

Fix browse_get_namespace() which could overflow ns[LONG_STRING].
(Possible remote vulnerability)
---

diff --git a/imap/browse.c b/imap/browse.c
index bc2d036c..43463baf 100644
--- a/imap/browse.c
+++ b/imap/browse.c
@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DATA* idata, char* nsbuf, int nsblen,
 	    if (*s == '\"')
 	    {
 	      s++;
-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
 	      {
 		if (*s == '\\')
 		  s++;
@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DATA* idata, char* nsbuf, int nsblen,
 		s++;
 	    }
 	    else
-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
 	      {
 		ns[n++] = *s;
 		s++;
 	      }
 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
 	    /* delim? */
 	    s = imap_next_word (s);
 	    /* delimiter is meaningless if namespace is "". Why does