dovecot-2.2: lib-index: Make sure a corrupted mail_cache_header_...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/2f848393f78e
changeset: 15564:2f848393f78e
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Dec 18 22:05:55 2012 +0200
description:
lib-index: Make sure a corrupted mail_cache_header_fields.size doesn't cause crashes.

diffstat:

 src/lib-index/mail-cache-fields.c |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (31 lines):

diff -r 579984fdb6e5 -r 2f848393f78e src/lib-index/mail-cache-fields.c
--- a/src/lib-index/mail-cache-fields.c	Tue Dec 18 21:45:08 2012 +0200
+++ b/src/lib-index/mail-cache-fields.c	Tue Dec 18 22:05:55 2012 +0200
@@ -206,7 +206,7 @@
 	const struct mail_cache_header_fields *field_hdr;
 	struct mail_cache_header_fields tmp_field_hdr;
 	const void *data;
-	uint32_t offset = 0, next_offset;
+	uint32_t offset = 0, next_offset, field_hdr_size;
 	unsigned int next_count = 0;
 	bool invalidate = FALSE;
 	int ret;
@@ -276,14 +276,16 @@
 		cache->need_compress_file_seq = cache->hdr->file_seq;
 
 	if (field_hdr_r != NULL) {
+		/* detect corrupted size later */
+		field_hdr_size = I_MAX(field_hdr->size, sizeof(*field_hdr));
 		if (cache->file_cache != NULL && invalidate) {
 			/* if this isn't the first header in file and we hadn't
 			   read this before, we can't trust that the cached
 			   data is valid */
 			file_cache_invalidate(cache->file_cache, offset,
-					      field_hdr->size);
+					      field_hdr_size);
 		}
-		ret = mail_cache_map(cache, offset, field_hdr->size, &data);
+		ret = mail_cache_map(cache, offset, field_hdr_size, &data);
 		if (ret < 0)
 			return -1;
 		if (ret == 0) {