Patch: Avoid a crash iterating in imap summary if it's corrupted.

From: José Dapena Paz <jdapena igalia com>
To: tinymail-devel-list <tinymail-devel-list gnome org>
Subject: Patch: Avoid a crash iterating in imap summary if it's corrupted.
Date: Fri, 24 Jul 2009 17:52:41 +0200

	Hi,

	Patch for avoiding a crash in the recovery code in imap summary. An
example of loop that may fail there:

	curlen = 17, seq = 1

	It will iterate from curlen - 1 (16).

	When it finishes iteration with r = 0, it evaluates to true in for (r
>= seq - 1, then 0 >= 0) and will decrease r and iterate again (with r =
-1). This is a crash accessing the pointer array with a negative index.

	Changelog entry:
    
	* libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c
	(imap_update_summary): if summary is bigger than the sequence number
	coming from server, summary is corrupt. We were iterating wrongly to
	remove the extra elements, and could cause a crash.

-- 
José Dapena Paz <jdapena igalia com>
Igalia

diff --git a/ChangeLog b/ChangeLog
index e1f2fa9..46ac9cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2009-07-24  Jose Dapena Paz  <jdapena igalia com>
+
+	Avoid a crash iterating in imap summary if it's corrupted.
+    
+	* libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c
+	(imap_update_summary): if summary is bigger than the sequence number
+	coming from server, summary is corrupt. We were iterating wrongly to
+	remove the extra elements, and could cause a crash.
+
 2009-07-20  Jose Dapena Paz  <jdapena igalia com>
 
 	* libtinymailui-gtk/tny-gtk-folder-list-store.c (get_parent_full_name):
diff --git a/libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c b/libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c
index c3c9ceb..ebe17bb 100644
--- a/libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c
+++ b/libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c
@@ -3563,7 +3563,7 @@ imap_update_summary (CamelFolder *folder, int exists,
 				  	int r;
 				  	if (curlen > sequence)
 				  	{
-				  		for (r = curlen-1; r >= sequence -1; r--)
+				  		for (r = curlen-1; r > sequence; r--)
 				  		{
 				  			CamelMessageInfo *ri;
 				  			g_warning ("Problem with your local summary store (too much), correcting: curlen=%d, r=%d, seq=%d\n", curlen, r, sequence);

Follow-Ups:
- Re: Patch: Avoid a crash iterating in imap summary if it's corrupted.
  - From: Philip Van Hoof

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]