[dovecot-cvs] dovecot/src/util idxview.c,1.1.2.1,1.1.2.2

tss at dovecot.org tss at dovecot.org
Fri Mar 23 22:47:38 EET 2007


Update of /var/lib/cvs/dovecot/src/util
In directory talvi:/tmp/cvs-serv23715

Modified Files:
      Tag: branch_1_0
	idxview.c 
Log Message:
Try to avoid crashes a bit harder with broken cache files.



Index: idxview.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/util/idxview.c,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -u -d -r1.1.2.1 -r1.1.2.2
--- idxview.c	20 Mar 2007 15:00:22 -0000	1.1.2.1
+++ idxview.c	23 Mar 2007 20:47:36 -0000	1.1.2.2
@@ -180,6 +180,10 @@
 		i_fatal("cache file fields read() %"PRIuSIZE_T" != %u",
 			ret, fields.size);
 	}
+	printf("fields_count: %u\n", fields.fields_count);
+
+	if (fields.fields_count > 10000)
+		i_fatal("Broken fields_count");
 
 	last_used = CONST_PTR_OFFSET(buf, MAIL_CACHE_FIELD_LAST_USED());
 	size = CONST_PTR_OFFSET(buf, MAIL_CACHE_FIELD_SIZE(fields.fields_count));
@@ -187,6 +191,9 @@
 	decision = CONST_PTR_OFFSET(buf, MAIL_CACHE_FIELD_DECISION(fields.fields_count));
 	names = CONST_PTR_OFFSET(buf, MAIL_CACHE_FIELD_NAMES(fields.fields_count));
 
+	if (names - (const char *)buf >= fields.size)
+		i_fatal("Fields go outside allocated size");
+
 	ARRAY_CREATE(&cache_fields, default_pool, struct mail_cache_field, 64);
 	memset(&field, 0, sizeof(field));
 	for (i = 0; i < fields.fields_count; i++) {



More information about the dovecot-cvs mailing list