]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7678b02)
lib-storage: Fix potential crash with SEARCH MIMEPART FILENAME ENDS
authorTimo Sirainen <timo.sirainen@open-xchange.com>
Wed, 15 Oct 2025 07:09:03 +0000 (10:09 +0300)
committertimo.sirainen <timo.sirainen@open-xchange.com>
Wed, 15 Oct 2025 12:22:20 +0000 (12:22 +0000)
If the search value was longer than the checked filename, it accessed
memory outside the allocated buffer.

src/lib-storage/index/index-search-mime.c patch | blob | blame | history

diff --git a/src/lib-storage/index/index-search-mime.c b/src/lib-storage/index/index-search-mime.c
index 95ad0ee6283c06fa6828d4eee6848a1cb2cf7136..ded94a9da4d6411c5420e908e34f861e1fe9b00d 100644 (file)
--- a/src/lib-storage/index/index-search-mime.c
+++ b/src/lib-storage/index/index-search-mime.c
@@ -283,7 +283,8 @@ search_arg_mime_filename_match(struct search_mimepart_context *mpctx,
        case SEARCH_MIME_FILENAME_ENDS:
                vlen = strlen(value);
                alen = strlen(key);
-               return (str_begins_with(value + (vlen - alen), key) ? 1 : 0);
+               return (vlen >= alen &&
+                       str_begins_with(value + (vlen - alen), key) ? 1 : 0);
        default:
                break;
        }
Mirror of https://github.com/dovecot/core.git