commit 51673214abae762f16c8d4eab67152f7cb703da7
Author: Oswald Buddenhagen <[email protected]>
Date: Fri Nov 26 23:05:30 2021 +0100
fix read beyond end of input in copy_msg_convert()
the input isn't necessarily null-terminated (it currently is for imap,
but not for maildir), so if the message ended somewhere within the
header field name, we'd read beyond its end, which theoretically could
cause a crash. no other adverse effects could result, as we'd stop
processing such a broken message right afterwards.
amends 70bad661.
src/sync.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/sync.c b/src/sync.c
index 32d4fa1..6685b78 100644
--- a/src/sync.c
+++ b/src/sync.c
@@ -428,9 +428,10 @@ copy_msg_convert( int in_cr, int out_cr, copy_vars_t
*vars, int t )
if (!vars->minimal)
goto oke;
} else {
- if (break2 == UINT_MAX && vars->minimal
&& !strncasecmp( in_buf + start, "Subject:", 8 )) {
+ if (break2 == UINT_MAX && vars->minimal
&&
+ starts_with_upper( in_buf + start,
(int)(in_len - start), "SUBJECT:", 8 )) {
break2 = start + 8;
- if (in_buf[break2] == ' ')
+ if (break2 < in_len &&
in_buf[break2] == ' ')
break2++;
}
lines++;
_______________________________________________
isync-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/isync-devel
