From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 23 Oct 2016 21:46:37 +0000 (-0700)
Subject: Fix pager segfault when lineInfo.chunks overflows. (closes #3888)
X-Git-Tag: neomutt-20170225~32^2~91^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b60b7cc38508f1665cd263c64386c3394b04203c;p=neomutt

Fix pager segfault when lineInfo.chunks overflows. (closes #3888)

The reporter had an html attachment with extremely long lines,
combined with a color pattern of "color body default default ."
This overflowed the lineInfo.chunks, causing a segfault.

Abort the body color patterns if this happens.
---

diff --git a/pager.c b/pager.c
index d7674eb30..fee1aef05 100644
--- a/pager.c
+++ b/pager.c
@@ -868,6 +868,13 @@ resolve_types (char *buf, char *raw, struct line_t *lineInfo, int n, int last,
 	  {
 	    if (!found)
 	    {
+              /* Abort if we fill up chunks.
+               * Yes, this really happened. See #3888 */
+              if (lineInfo[n].chunks == SHRT_MAX)
+              {
+                null_rx = 0;
+                break;
+              }
 	      if (++(lineInfo[n].chunks) > 1)
 		safe_realloc (&(lineInfo[n].syntax), 
 			      (lineInfo[n].chunks) * sizeof (struct syntax_t));