From: Vincent Lefevre <vincent@vinc17.net>
Date: Wed, 14 Feb 2018 09:33:41 +0000 (+0100)
Subject: Avoid a potential integer overflow if a Content-Length value is huge.
X-Git-Tag: mutt-1-10-rel~52
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ebd93b509fe195500bb6aa1fdc36df05377b4ae3;p=mutt

Avoid a potential integer overflow if a Content-Length value is huge.
---

diff --git a/mbox.c b/mbox.c
index 37933273..34668832 100644
--- a/mbox.c
+++ b/mbox.c
@@ -317,7 +317,11 @@ int mbox_parse_mailbox (CONTEXT *ctx)
 	LOFF_T tmploc;
 
 	loc = ftello (ctx->fp);
-	tmploc = loc + curhdr->content->length + 1;
+
+	/* The test below avoids a potential integer overflow if the
+	 * content-length is huge (thus necessarily invalid).
+	 */
+	tmploc = curhdr->content->length < ctx->size ? loc + curhdr->content->length + 1 : -1;
 
 	if (0 < tmploc && tmploc < ctx->size)
 	{