Re: Fwd: report 2/3: unsafe handling of excessive IMAP message counts

Kevin J. McCarthy Wed, 17 Jun 2026 17:17:04 -0700

On Thu, Jun 18, 2026 at 08:09:10AM +0800, Kevin J. McCarthy wrote:

----- Forwarded message from Acts1631 <[email protected]> -----
From: Acts1631 <[email protected]>
imap_alloc_msn_index() checks for maliciously large IMAP message sequence number 
counts before allocating idata->msn_index:


 if (msn_count >= (UINT_MAX / sizeof(HEADER *)))
 {
   mutt_error _("Integer overflow -- can't allocate memory.");
   sleep(1);
   mutt_exit(1);
 }

Calling mutt_exit(1) terminates the mutt process. A robust IMAP client should 
reject the mailbox/update and return an error to the caller instead of exiting 
the program.

This is a NAK for me. I'm open for debate on this, but defifinitely not before 2.4.0.


--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA

signature.asc
Description: PGP signature

Re: Fwd: report 2/3: unsafe handling of excessive IMAP message counts

Reply via email to