commit 87c2ac1cc9382a22f4581294fbcf299a797e4f37
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Wed Dec 29 21:50:26 2021 +0100
reserve enough UID ranges in imap_load_box()
in certain configurations, under very unlikely conditions (which are
practically impossible to control remotely), we'd overflow ranges[].
in a typical gcc build, the values (which are also practically
impossible to control remotely) would be written at the end of buf[],
which would be rather harmless, as only a tiny part of buf is used
subsequently. so i'm not classifying this as a security issue.
amends 77acc268.
src/drv_imap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
index c5a7aedb..1db59937 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2883,7 +2883,7 @@ imap_load_box( store_t *gctx, uint minuid, uint maxuid,
uint finduid, uint pairu
if (maxuid == UINT_MAX)
maxuid = ctx->uidnext - 1;
if (maxuid >= minuid) {
- imap_range_t ranges[3];
+ imap_range_t ranges[4];
ranges[0].first = minuid;
ranges[0].last = maxuid;
ranges[0].flags = 0;
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
