lib-index: Make sure dovecot.index.cache parsing doesn't go to infinite loop.

author Timo Sirainen <tss@iki.fi>

Thu, 13 Nov 2014 09:29:41 +0000 (11:29 +0200)

committer Timo Sirainen <tss@iki.fi>

Thu, 13 Nov 2014 09:29:41 +0000 (11:29 +0200)
author Timo Sirainen <tss@iki.fi>
Thu, 13 Nov 2014 09:29:41 +0000 (11:29 +0200)
committer Timo Sirainen <tss@iki.fi>
Thu, 13 Nov 2014 09:29:41 +0000 (11:29 +0200)
diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c

index 4c0d9faef75f542f865618b81fa1e8ce3efb994d..9e18edf8c521582e5e048d91217e9b729f3fa909 100644 (file)
--- a/src/lib-index/mail-cache-fields.c
+++ b/src/lib-index/mail-cache-fields.c
@@ -234,6 +234,15 @@ mail_cache_header_fields_get_offset(struct mail_cache *cache,
                                 "next_offset in field header loops");
                         return -1;
                 }
+               /* In Dovecot v2.2+ we don't try to use any holes,
+                  so next_offset must always be larger than current offset.
+                  also makes it easier to guarantee there aren't any loops
+                  (which we don't bother doing for old files) */
+               if (next_offset < offset && cache->hdr->minor_version != 0) {
+                       mail_cache_set_corrupted(cache,
+                               "next_offset in field header decreases");
+                       return -1;
+               }
                 offset = next_offset;
  
                 if (cache->mmap_base != NULL || cache->map_with_read) {
author	Timo Sirainen <tss@iki.fi>
	Thu, 13 Nov 2014 09:29:41 +0000 (11:29 +0200)
committer	Timo Sirainen <tss@iki.fi>
	Thu, 13 Nov 2014 09:29:41 +0000 (11:29 +0200)