From c091c3a2f0a85d2e2ad8d647c1b4fa9b8fe3c37a Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Mon, 22 May 2017 04:43:24 -0700 Subject: [PATCH] Fix mfc overflow check and uninitialized variable. The check borrowed from mx_alloc_memory() works because it is incremented 25 at a time. I don't believe it will work for the direct set case used in imap_alloc_msn_index(). Instead, use a more conservative check. In imap_read_headers(), make sure mfhrc is initialized. It would be tested without being set if imap_cmd_step() returned OK right away. --- imap/message.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/imap/message.c b/imap/message.c index 95edcfe21..ef3a66179 100644 --- a/imap/message.c +++ b/imap/message.c @@ -76,16 +76,19 @@ static void imap_alloc_msn_index (IMAP_DATA *idata, unsigned int msn_count) if (msn_count <= idata->msn_index_size) return; - /* Add a little padding, like mx_allloc_memory() */ - new_size = msn_count + 25; - - if (new_size * sizeof (HEADER *) < idata->msn_index_size * sizeof (HEADER *)) + /* This is a conservative check to protect against a malicious imap + * server. Most likely size_t is bigger than an unsigned int, but + * if msn_count is this big, we have a serious problem. */ + if (msn_count >= (UINT_MAX / sizeof (HEADER *))) { mutt_error _("Integer overflow -- can't allocate memory."); sleep (1); mutt_exit (1); } + /* Add a little padding, like mx_allloc_memory() */ + new_size = msn_count + 25; + if (!idata->msn_index) idata->msn_index = safe_calloc (new_size, sizeof (HEADER *)); else @@ -167,7 +170,7 @@ int imap_read_headers (IMAP_DATA* idata, unsigned int msn_begin, unsigned int ms int msgno, idx; IMAP_HEADER h; IMAP_STATUS* status; - int rc, mfhrc, oldmsgcount; + int rc, mfhrc = 0, oldmsgcount; int fetch_msn_end = 0; unsigned int maxuid = 0; static const char * const want_headers = "DATE FROM SUBJECT TO CC MESSAGE-ID REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO LINES LIST-POST X-LABEL"; -- 2.40.0