From ebd93b509fe195500bb6aa1fdc36df05377b4ae3 Mon Sep 17 00:00:00 2001
From: Vincent Lefevre <vincent@vinc17.net>
Date: Wed, 14 Feb 2018 10:33:41 +0100
Subject: Avoid a potential integer overflow if a Content-Length value is huge.

---
 mbox.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'mbox.c')

diff --git a/mbox.c b/mbox.c
index 37933273..34668832 100644
--- a/mbox.c
+++ b/mbox.c
@@ -317,7 +317,11 @@ int mbox_parse_mailbox (CONTEXT *ctx)
 	LOFF_T tmploc;
 
 	loc = ftello (ctx->fp);
-	tmploc = loc + curhdr->content->length + 1;
+
+	/* The test below avoids a potential integer overflow if the
+	 * content-length is huge (thus necessarily invalid).
+	 */
+	tmploc = curhdr->content->length < ctx->size ? loc + curhdr->content->length + 1 : -1;
 
 	if (0 < tmploc && tmploc < ctx->size)
 	{
-- 
cgit v1.2.3