From: Kevin McCarthy <kevin@8t8.us>
Date: Tue, 27 Nov 2018 21:55:04 +0000 (-0800)
Subject: Fix QRESYNC crash after a large number of VANISHED messages
X-Git-Tag: 2019-10-25~450^2~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bae6d76d6fdb0e3b896f9eeb52c0e0db49a4ae8a;p=neomutt

Fix QRESYNC crash after a large number of VANISHED messages

When handling QRESYNC vanished, imap_expunge_mailbox() was called to
empty out the messages.  Various counters, including vcount are
updated by the mx_update_tables() after the expunge.

These counters need to be reset, because mx_update_context() will do
so once again at the end of reading new headers.  This can cause an
out of bounds access in v2r.
---

diff --git a/imap/message.c b/imap/message.c
index 209d23437..93ed4c8a7 100644
--- a/imap/message.c
+++ b/imap/message.c
@@ -967,6 +967,17 @@ static int read_headers_condstore_qresync_updates(struct ImapAccountData *adata,
   {
     imap_hcache_close(mdata);
     imap_expunge_mailbox(m);
+
+    /* undo expunge count updates.
+     * mx_update_context() will do this at the end of the header fetch. */
+    m->vcount = 0;
+    m->msg_tagged = 0;
+    m->msg_deleted = 0;
+    m->msg_new = 0;
+    m->msg_unread = 0;
+    m->msg_flagged = 0;
+    m->changed = 0;
+
     mdata->hcache = imap_hcache_open(adata, mdata);
     mdata->reopen &= ~IMAP_EXPUNGE_PENDING;
   }