From: Timo Sirainen Date: Mon, 4 Feb 2013 15:06:40 +0000 (+0200) Subject: lib-index: Bug in cache file size verification caused the whole cache file to be... X-Git-Tag: 2.1.15~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97144a346898fb62f9fae44fa5c076986553c66b;p=thirdparty%2Fdovecot%2Fcore.git lib-index: Bug in cache file size verification caused the whole cache file to be mapped. --- diff --git a/src/lib-index/mail-cache.c b/src/lib-index/mail-cache.c index 4903a8964b..d59ea43f27 100644 --- a/src/lib-index/mail-cache.c +++ b/src/lib-index/mail-cache.c @@ -367,7 +367,8 @@ int mail_cache_map(struct mail_cache *cache, size_t offset, size_t size, /* verify offset + size before trying to allocate a huge amount of memory due to them. note that we may be prefetching more than we actually need, so don't fail too early. */ - if (size > cache->mmap_length || offset + size > cache->mmap_length) { + if ((size > cache->mmap_length || offset + size > cache->mmap_length) && + (offset > 0 || size > sizeof(struct mail_cache_header))) { if (fstat(cache->fd, &st) < 0) { i_error("fstat(%s) failed: %m", cache->filepath); return -1; @@ -376,7 +377,8 @@ int mail_cache_map(struct mail_cache *cache, size_t offset, size_t size, *data_r = NULL; return 0; } - size = st.st_size - offset; + if (offset + size > (uoff_t)st.st_size) + size = st.st_size - offset; } cache->remap_counter++;