dovecot-1.1: cache file: Don't crash if fields header offset poi...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-1.1/rev/b662b2beaf12
changeset: 7839:b662b2beaf12
user:      Timo Sirainen <tss at iki.fi>
date:      Sat Aug 30 10:28:50 2008 +0300
description:
cache file: Don't crash if fields header offset points outside mmapped data.

diffstat:

1 file changed, 6 insertions(+), 1 deletion(-)
src/lib-index/mail-cache-fields.c |    7 ++++++-

diffs (24 lines):

diff -r eeb09d4c9746 -r b662b2beaf12 src/lib-index/mail-cache-fields.c
--- a/src/lib-index/mail-cache-fields.c	Fri Aug 29 09:58:18 2008 +0300
+++ b/src/lib-index/mail-cache-fields.c	Sat Aug 30 10:28:50 2008 +0300
@@ -198,6 +198,11 @@ static int mail_cache_header_fields_get_
 			if (mail_cache_map(cache, offset,
 					   sizeof(*field_hdr)) < 0)
 				return -1;
+			if (offset >= cache->mmap_length) {
+				mail_cache_set_corrupted(cache,
+					"header field next_offset points outside file");
+				return -1;
+			}
 
 			field_hdr = CONST_PTR_OFFSET(cache->data, offset);
 		} else {
@@ -212,7 +217,7 @@ static int mail_cache_header_fields_get_
 			}
 			if (ret == 0) {
 				mail_cache_set_corrupted(cache,
-					"next_offset points outside file");
+					"header field next_offset points outside file");
 				return -1;
 			}
 			field_hdr = &tmp_field_hdr;