commit 87c2ac1cc9382a22f4581294fbcf299a797e4f37
parent bb5e98e9ec9655b018294b3a650cf218535d475a
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Wed, 29 Dec 2021 21:50:26 +0100
reserve enough UID ranges in imap_load_box()
in certain configurations, under very unlikely conditions (which are
practically impossible to control remotely), we'd overflow ranges[].
in a typical gcc build, the values (which are also practically
impossible to control remotely) would be written at the end of buf[],
which would be rather harmless, as only a tiny part of buf is used
subsequently. so i'm not classifying this as a security issue.
amends 77acc268.
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -2883,7 +2883,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid, uint finduid, uint pairu
if (maxuid == UINT_MAX)
maxuid = ctx->uidnext - 1;
if (maxuid >= minuid) {
- imap_range_t ranges[3];
+ imap_range_t ranges[4];
ranges[0].first = minuid;
ranges[0].last = maxuid;
ranges[0].flags = 0;