Re: Patch: Avoid a crash iterating in imap summary if it's corrupted.

From: Philip Van Hoof <spam pvanhoof be>
To: José Dapena Paz <jdapena igalia com>
Cc: tinymail-devel-list <tinymail-devel-list gnome org>
Subject: Re: Patch: Avoid a crash iterating in imap summary if it's corrupted.
Date: Sat, 25 Jul 2009 11:49:39 +0200

Approved, nice catch!

On Fri, 2009-07-24 at 17:52 +0200, José Dapena Paz wrote:
> 	Hi,
> 
> 	Patch for avoiding a crash in the recovery code in imap summary. An
> example of loop that may fail there:
> 
> 	curlen = 17, seq = 1
> 
> 	It will iterate from curlen - 1 (16).
> 
> 	When it finishes iteration with r = 0, it evaluates to true in for (r
> >= seq - 1, then 0 >= 0) and will decrease r and iterate again (with r =
> -1). This is a crash accessing the pointer array with a negative index.
> 
> 	Changelog entry:
>     
> 	* libtinymail-camel/camel-lite/camel/providers/imap/camel-imap-folder.c
> 	(imap_update_summary): if summary is bigger than the sequence number
> 	coming from server, summary is corrupt. We were iterating wrongly to
> 	remove the extra elements, and could cause a crash.
> 
> _______________________________________________
> tinymail-devel-list mailing list
> tinymail-devel-list gnome org
> http://mail.gnome.org/mailman/listinfo/tinymail-devel-list
-- 
Philip Van Hoof, freelance software developer
home: me at pvanhoof dot be 
gnome: pvanhoof at gnome dot org 
http://pvanhoof.be/blog
http://codeminded.be

References:
- Patch: Avoid a crash iterating in imap summary if it's corrupted.
  - From: =?ISO-8859-1?Q?Jos=E9?= Dapena Paz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]