From 12c0e4da81f8ddadba391f8ed2f5622057ea2e04 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Mon, 22 May 2017 04:43:24 -0700 Subject: [PATCH] Fix mfc overflow check and uninitialized variable. The check borrowed from mx_alloc_memory() works because it is incremented 25 at a time. I don't believe it will work for the direct set case used in imap_alloc_msn_index(). Instead, use a more conservative check. In imap_read_headers(), make sure mfhrc is initialized. It would be tested without being set if imap_cmd_step() returned OK right away. --- imap/message.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/imap/message.c b/imap/message.c index 8711adac2..5d79a6c7b 100644 --- a/imap/message.c +++ b/imap/message.c @@ -381,16 +381,19 @@ static void imap_alloc_msn_index(struct ImapData *idata, unsigned int msn_count) if (msn_count <= idata->msn_index_size) return; - /* Add a little padding, like mx_allloc_memory() */ - new_size = msn_count + 25; - - if (new_size * sizeof(struct Header *) < idata->msn_index_size * sizeof(struct Header *)) + /* This is a conservative check to protect against a malicious imap + * server. Most likely size_t is bigger than an unsigned int, but + * if msn_count is this big, we have a serious problem. */ + if (msn_count >= (UINT_MAX / sizeof(struct Header *))) { mutt_error(_("Integer overflow -- can't allocate memory.")); sleep(1); mutt_exit(1); } + /* Add a little padding, like mx_allloc_memory() */ + new_size = msn_count + 25; + if (!idata->msn_index) idata->msn_index = safe_calloc(new_size, sizeof(struct Header *)); else @@ -472,7 +475,7 @@ int imap_read_headers(struct ImapData *idata, unsigned int msn_begin, unsigned i int msgno, idx; struct ImapHeader h; struct ImapStatus *status = NULL; - int rc, mfhrc, oldmsgcount; + int rc, mfhrc = 0, oldmsgcount; int fetch_msn_end = 0; unsigned int maxuid = 0; static const char *const want_headers = -- 2.40.0