From e638a98dc7ee23dda677f9519fa9c002eb6478d5 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Wed, 15 Oct 2025 10:09:03 +0300 Subject: [PATCH] lib-storage: Fix potential crash with SEARCH MIMEPART FILENAME ENDS If the search value was longer than the checked filename, it accessed memory outside the allocated buffer. --- src/lib-storage/index/index-search-mime.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib-storage/index/index-search-mime.c b/src/lib-storage/index/index-search-mime.c index 95ad0ee628..ded94a9da4 100644 --- a/src/lib-storage/index/index-search-mime.c +++ b/src/lib-storage/index/index-search-mime.c @@ -283,7 +283,8 @@ search_arg_mime_filename_match(struct search_mimepart_context *mpctx, case SEARCH_MIME_FILENAME_ENDS: vlen = strlen(value); alen = strlen(key); - return (str_begins_with(value + (vlen - alen), key) ? 1 : 0); + return (vlen >= alen && + str_begins_with(value + (vlen - alen), key) ? 1 : 0); default: break; } -- 2.47.3