dovecot-2.2: lib-index: Make sure a corrupted mail_cache_header_...
dovecot at dovecot.org
dovecot at dovecot.org
Sat Jan 5 01:14:36 EET 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/2f848393f78e
changeset: 15564:2f848393f78e
user: Timo Sirainen <tss at iki.fi>
date: Tue Dec 18 22:05:55 2012 +0200
description:
lib-index: Make sure a corrupted mail_cache_header_fields.size doesn't cause crashes.
diffstat:
src/lib-index/mail-cache-fields.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diffs (31 lines):
diff -r 579984fdb6e5 -r 2f848393f78e src/lib-index/mail-cache-fields.c
--- a/src/lib-index/mail-cache-fields.c Tue Dec 18 21:45:08 2012 +0200
+++ b/src/lib-index/mail-cache-fields.c Tue Dec 18 22:05:55 2012 +0200
@@ -206,7 +206,7 @@
const struct mail_cache_header_fields *field_hdr;
struct mail_cache_header_fields tmp_field_hdr;
const void *data;
- uint32_t offset = 0, next_offset;
+ uint32_t offset = 0, next_offset, field_hdr_size;
unsigned int next_count = 0;
bool invalidate = FALSE;
int ret;
@@ -276,14 +276,16 @@
cache->need_compress_file_seq = cache->hdr->file_seq;
if (field_hdr_r != NULL) {
+ /* detect corrupted size later */
+ field_hdr_size = I_MAX(field_hdr->size, sizeof(*field_hdr));
if (cache->file_cache != NULL && invalidate) {
/* if this isn't the first header in file and we hadn't
read this before, we can't trust that the cached
data is valid */
file_cache_invalidate(cache->file_cache, offset,
- field_hdr->size);
+ field_hdr_size);
}
- ret = mail_cache_map(cache, offset, field_hdr->size, &data);
+ ret = mail_cache_map(cache, offset, field_hdr_size, &data);
if (ret < 0)
return -1;
if (ret == 0) {
More information about the dovecot-cvs
mailing list