dovecot-2.2: lib-index: Make sure dovecot.index.cache parsing do...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/8565c72f73ec
changeset: 18083:8565c72f73ec
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Nov 13 11:29:41 2014 +0200
description:
lib-index: Make sure dovecot.index.cache parsing doesn't go to infinite loop.
Although we guarantee this only for files generated with Dovecot v2.2+
because it's too much trouble to check for older versions.

diffstat:

 src/lib-index/mail-cache-fields.c |  9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diffs (19 lines):

diff -r fab74a2b7468 -r 8565c72f73ec src/lib-index/mail-cache-fields.c
--- a/src/lib-index/mail-cache-fields.c	Thu Nov 13 11:14:08 2014 +0200
+++ b/src/lib-index/mail-cache-fields.c	Thu Nov 13 11:29:41 2014 +0200
@@ -234,6 +234,15 @@
 				"next_offset in field header loops");
 			return -1;
 		}
+		/* In Dovecot v2.2+ we don't try to use any holes,
+		   so next_offset must always be larger than current offset.
+		   also makes it easier to guarantee there aren't any loops
+		   (which we don't bother doing for old files) */
+		if (next_offset < offset && cache->hdr->minor_version != 0) {
+			mail_cache_set_corrupted(cache,
+				"next_offset in field header decreases");
+			return -1;
+		}
 		offset = next_offset;
 
 		if (cache->mmap_base != NULL || cache->map_with_read) {