From 2e51880af8478356deac985863f6f13952987224 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Sat, 4 Aug 2001 23:04:42 +0000
Subject: Security fix.

svn path=/trunk/; revision=3441
---
 imap.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'imap.c')

diff --git a/imap.c b/imap.c
index 96ca7ee3..0874e551 100644
--- a/imap.c
+++ b/imap.c
@@ -620,14 +620,19 @@ static int imap_getsizes(int sock, int count, int *sizes)
 	gen_send(sock, "FETCH 1:%d RFC822.SIZE", count);
     for (;;)
     {
-	int num, size, ok;
+	unsigned int num, size;
+	int ok;
 
 	if ((ok = gen_recv(sock, buf, sizeof(buf))))
 	    return(ok);
 	else if (strstr(buf, "OK") || strstr(buf, "NO"))
 	    break;
-	else if (sscanf(buf, "* %d FETCH (RFC822.SIZE %d)", &num, &size) == 2)
-	    sizes[num - 1] = size;
+	else if (sscanf(buf, "* %u FETCH (RFC822.SIZE %u)", &num, &size) == 2) {
+	    if (num > 0 && num <= count)
+	        sizes[num - 1] = size;
+	    /* else, strict: protocol error, flexible: nothing
+	     * I vote for flexible. */
+	}
     }
 
     return(PS_SUCCESS);
-- 
cgit v1.2.3