Avoid a potential integer overflow if a Content-Length value is huge.

author: Vincent Lefevre <vincent@vinc17.net> 2018-02-14 10:33:41 +0100
committer: Vincent Lefevre <vincent@vinc17.net> 2018-02-14 10:33:41 +0100
commit: ebd93b509fe195500bb6aa1fdc36df05377b4ae3 (patch)
tree: f9b43600d8562809d45bc80f46cf1c25f7893a3f /mbox.c
parent: 088e1903488a6e35945763563d24f91bb0c5e6f8 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/mbox.c b/mbox.c
index 37933273..34668832 100644
--- a/mbox.c
+++ b/mbox.c
@@ -317,7 +317,11 @@ int mbox_parse_mailbox (CONTEXT *ctx)
 	LOFF_T tmploc;
 
 	loc = ftello (ctx->fp);
-	tmploc = loc + curhdr->content->length + 1;
+
+	/* The test below avoids a potential integer overflow if the
+	 * content-length is huge (thus necessarily invalid).
+	 */
+	tmploc = curhdr->content->length < ctx->size ? loc + curhdr->content->length + 1 : -1;
 
 	if (0 < tmploc && tmploc < ctx->size)
 	{
author	Vincent Lefevre <vincent@vinc17.net>	2018-02-14 10:33:41 +0100
committer	Vincent Lefevre <vincent@vinc17.net>	2018-02-14 10:33:41 +0100
commit	ebd93b509fe195500bb6aa1fdc36df05377b4ae3 (patch)
tree	f9b43600d8562809d45bc80f46cf1c25f7893a3f /mbox.c
parent	088e1903488a6e35945763563d24f91bb0c5e6f8 (diff)