From: Timo Sirainen <tss@iki.fi>
Date: Sat, 30 Aug 2008 07:28:50 +0000 (+0300)
Subject: cache file: Don't crash if fields header offset points outside mmapped data.
X-Git-Tag: 1.2.alpha1~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73b251f13abfbd8e06c8c78784eb570d28fe7e40;p=thirdparty%2Fdovecot%2Fcore.git

cache file: Don't crash if fields header offset points outside mmapped data.

--HG--
branch : HEAD
---

diff --git a/src/lib-index/mail-cache-fields.c b/src/lib-index/mail-cache-fields.c
index bcdda91ae5..e44ae6c51a 100644
--- a/src/lib-index/mail-cache-fields.c
+++ b/src/lib-index/mail-cache-fields.c
@@ -198,6 +198,11 @@ static int mail_cache_header_fields_get_offset(struct mail_cache *cache,
 			if (mail_cache_map(cache, offset,
 					   sizeof(*field_hdr)) < 0)
 				return -1;
+			if (offset >= cache->mmap_length) {
+				mail_cache_set_corrupted(cache,
+					"header field next_offset points outside file");
+				return -1;
+			}
 
 			field_hdr = CONST_PTR_OFFSET(cache->data, offset);
 		} else {
@@ -212,7 +217,7 @@ static int mail_cache_header_fields_get_offset(struct mail_cache *cache,
 			}
 			if (ret == 0) {
 				mail_cache_set_corrupted(cache,
-					"next_offset points outside file");
+					"header field next_offset points outside file");
 				return -1;
 			}
 			field_hdr = &tmp_field_hdr;