[dovecot-cvs] dovecot/src/lib-mail message-body-search.c, 1.27, 1.27.2.1

[tss at dovecot.org]

Update of /var/lib/cvs/dovecot/src/lib-mail
In directory talvi:/tmp/cvs-serv17482

Modified Files:
      Tag: branch_1_0
	message-body-search.c 
Log Message:
When searching MIME body headers, make sure we don't go out of bounds with broken MIME messages and cause assert-crash.



Index: message-body-search.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/lib-mail/message-body-search.c,v
retrieving revision 1.27
retrieving revision 1.27.2.1
diff -u -d -r1.27 -r1.27.2.1
--- message-body-search.c	26 Feb 2006 10:05:14 -0000	1.27
+++ message-body-search.c	9 Jan 2007 20:19:30 -0000	1.27.2.1
@@ -100,7 +100,8 @@
 }
 
 static bool message_search_header(struct part_search_context *ctx,
-				  struct istream *input)
+				  struct istream *input,
+				  const struct message_part *part)
 {
 	struct header_search_context *hdr_search_ctx;
 	struct message_header_parser_ctx *hdr_ctx;
@@ -117,6 +118,10 @@
 	/* we default to text content-type */
 	ctx->content_type_text = TRUE;
 
+	input = i_stream_create_limit(default_pool, input, part->physical_pos,
+				      part->header_size.physical_size);
+	i_stream_seek(input, 0);
+
 	hdr_ctx = message_parse_header_init(input, NULL, TRUE);
 	while ((ret = message_parse_header_next(hdr_ctx, &hdr)) > 0) {
 		if (hdr->eoh)
@@ -156,6 +161,7 @@
 	}
 	i_assert(ret != 0);
 	message_parse_header_deinit(&hdr_ctx);
+	i_stream_destroy(&input);
 
 	return found;
 }
@@ -401,7 +407,7 @@
 
 		t_push();
 
-		if (message_search_header(&part_ctx, input)) {
+		if (message_search_header(&part_ctx, input, part)) {
 			/* found / invalid search key */
 			ret = 1;
 		} else if (part->children != NULL) {