Mercurial > dovecot > core-2.2

changeset 15564:2f848393f78e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
lib-index: Make sure a corrupted mail_cache_header_fields.size doesn't cause crashes.
author Timo Sirainen <tss@iki.fi>
date Tue, 18 Dec 2012 22:05:55 +0200
parents 579984fdb6e5
children bded819417d9
files src/lib-index/mail-cache-fields.c
diffstat 1 files changed, 5 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/lib-index/mail-cache-fields.c	Tue Dec 18 21:45:08 2012 +0200
+++ b/src/lib-index/mail-cache-fields.c	Tue Dec 18 22:05:55 2012 +0200
@@ -206,7 +206,7 @@
 	const struct mail_cache_header_fields *field_hdr;
 	struct mail_cache_header_fields tmp_field_hdr;
 	const void *data;
-	uint32_t offset = 0, next_offset;
+	uint32_t offset = 0, next_offset, field_hdr_size;
 	unsigned int next_count = 0;
 	bool invalidate = FALSE;
 	int ret;
@@ -276,14 +276,16 @@
 		cache->need_compress_file_seq = cache->hdr->file_seq;
 
 	if (field_hdr_r != NULL) {
+		/* detect corrupted size later */
+		field_hdr_size = I_MAX(field_hdr->size, sizeof(*field_hdr));
 		if (cache->file_cache != NULL && invalidate) {
 			/* if this isn't the first header in file and we hadn't
 			   read this before, we can't trust that the cached
 			   data is valid */
 			file_cache_invalidate(cache->file_cache, offset,
-					      field_hdr->size);
+					      field_hdr_size);
 		}
-		ret = mail_cache_map(cache, offset, field_hdr->size, &data);
+		ret = mail_cache_map(cache, offset, field_hdr_size, &data);
 		if (ret < 0)
 			return -1;
 		if (ret == 0) {