From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 4 Oct 2015 02:08:45 +0000 (+0800)
Subject: Fix menu type in certificate prompt.  (see #3779)
X-Git-Tag: neomutt-20160404~109
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=892bb0f52eeba132780a495e485ebf7c4c0b35f9;p=neomutt

Fix menu type in certificate prompt.  (see #3779)

The menu type is used in several places as a direct index into
Keymaps[], so passing in -1 to mutt_new_menu() was leading to illegal
memory accesses later on.

Add a range check in mutt_new_menu(), defaulting to MENU_GENERIC, to
prevent this problem in the future.
---

diff --git a/menu.c b/menu.c
index e03dd3301..578593ebc 100644
--- a/menu.c
+++ b/menu.c
@@ -684,6 +684,9 @@ MUTTMENU *mutt_new_menu (int menu)
 {
   MUTTMENU *p = (MUTTMENU *) safe_calloc (1, sizeof (MUTTMENU));
 
+  if ((menu < 0) || (menu >= MENU_MAX))
+    menu = MENU_GENERIC;
+
   p->menu = menu;
   p->current = 0;
   p->top = 0;
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 4fdceb72f..9d1af09b1 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -977,7 +977,7 @@ static int interactive_check_cert (X509 *cert, int idx, int len)
   char helpstr[LONG_STRING];
   char buf[STRING];
   char title[STRING];
-  MUTTMENU *menu = mutt_new_menu (-1);
+  MUTTMENU *menu = mutt_new_menu (MENU_GENERIC);
   int done, row, i;
   FILE *fp;
   char *name = NULL, *c;
diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 8582bec83..6ea94fc28 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -850,7 +850,7 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
     return 0;
   }
 
-  menu = mutt_new_menu (-1);
+  menu = mutt_new_menu (MENU_GENERIC);
   menu->max = 25;
   menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
   for (i = 0; i < menu->max; i++)