commit 6b22c837f6aea82079db91c10220e4fae77a31e2
parent 87c2ac1cc9382a22f4581294fbcf299a797e4f37
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Wed, 29 Dec 2021 21:55:53 +0100
overflow-check ranges[] in imap_set_range()
amends 3d64f167.
Diffstat:
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -2819,6 +2819,8 @@ typedef struct {
int flags;
} imap_range_t;
+#define MAX_RANGES 4
+
static void
imap_set_range( imap_range_t *ranges, uint *nranges, int low_flags, int high_flags, uint maxlow )
{
@@ -2830,6 +2832,8 @@ imap_set_range( imap_range_t *ranges, uint *nranges, int low_flags, int high_fla
continue; /* Range ends below split point; try next one. */
if (ranges[r].last != maxlow) {
/* Range does not end exactly at split point; need to split. */
+ if (*nranges == MAX_RANGES)
+ oob();
memmove( &ranges[r + 1], &ranges[r], ((*nranges)++ - r) * sizeof(*ranges) );
ranges[r].last = maxlow;
ranges[r + 1].first = maxlow + 1;
@@ -2883,7 +2887,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu
if (maxuid == UINT_MAX)
maxuid = ctx->uidnext - 1;
if (maxuid >= minuid) {
- imap_range_t ranges[4];
+ imap_range_t ranges[MAX_RANGES];
ranges[0].first = minuid;
ranges[0].last = maxuid;
ranges[0].flags = 0;
