dovecot-2.2: lib-index: Fixed crash when header fields count was...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/1f2c83d6dd2e
changeset: 17306:1f2c83d6dd2e
user:      Timo Sirainen <tss at iki.fi>
date:      Fri May 02 12:11:54 2014 +0300
description:
lib-index: Fixed crash when header fields count was too high in cache file.

diffstat:

 src/lib-index/mail-cache-fields.c |  3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diffs (13 lines):

diff -r 930b6b1346bd -r 1f2c83d6dd2e src/lib-index/mail-cache-fields.c
--- a/src/lib-index/mail-cache-fields.c	Fri May 02 11:58:52 2014 +0300
+++ b/src/lib-index/mail-cache-fields.c	Fri May 02 12:11:54 2014 +0300
@@ -328,7 +328,8 @@
 
 	/* check the fixed size of the header. name[] has to be checked
 	   separately */
-	if (field_hdr->size < MAIL_CACHE_FIELD_NAMES(field_hdr->fields_count)) {
+	if (field_hdr->fields_count > INT_MAX / MAIL_CACHE_FIELD_NAMES(1) ||
+	    field_hdr->size < MAIL_CACHE_FIELD_NAMES(field_hdr->fields_count)) {
 		mail_cache_set_corrupted(cache, "invalid field header size");
 		return -1;
 	}