Mercurial > dovecot > core-2.2
changeset 15564:2f848393f78e
lib-index: Make sure a corrupted mail_cache_header_fields.size doesn't cause crashes.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Tue, 18 Dec 2012 22:05:55 +0200 |
parents | 579984fdb6e5 |
children | bded819417d9 |
files | src/lib-index/mail-cache-fields.c |
diffstat | 1 files changed, 5 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-index/mail-cache-fields.c Tue Dec 18 21:45:08 2012 +0200 +++ b/src/lib-index/mail-cache-fields.c Tue Dec 18 22:05:55 2012 +0200 @@ -206,7 +206,7 @@ const struct mail_cache_header_fields *field_hdr; struct mail_cache_header_fields tmp_field_hdr; const void *data; - uint32_t offset = 0, next_offset; + uint32_t offset = 0, next_offset, field_hdr_size; unsigned int next_count = 0; bool invalidate = FALSE; int ret; @@ -276,14 +276,16 @@ cache->need_compress_file_seq = cache->hdr->file_seq; if (field_hdr_r != NULL) { + /* detect corrupted size later */ + field_hdr_size = I_MAX(field_hdr->size, sizeof(*field_hdr)); if (cache->file_cache != NULL && invalidate) { /* if this isn't the first header in file and we hadn't read this before, we can't trust that the cached data is valid */ file_cache_invalidate(cache->file_cache, offset, - field_hdr->size); + field_hdr_size); } - ret = mail_cache_map(cache, offset, field_hdr->size, &data); + ret = mail_cache_map(cache, offset, field_hdr_size, &data); if (ret < 0) return -1; if (ret == 0) {