summaryrefslogtreecommitdiff
path: root/pine-4.44-CAN-2003-0720-CAN-2003-0721.patch
blob: 24bd88f781c33f705e1a2437294b179a213d97c1 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

To fix CAN-2003-0720 CAN-2003-0721                                              
--- pine4.44/pine/mailview.c.orig	2002-01-08 20:56:02.000000000 +0000
+++ pine4.44/pine/mailview.c	2003-09-10 09:36:25.000000000 +0100
@@ -8377,7 +8377,7 @@
 
     for(p = params; p; p = p->next)	/* ok if we include *'s */
       if(p->attribute && (n = strlen(p->attribute)) > longest)
-	longest = n;
+	longest = min(32, n);   /* shouldn't be any bigger than 32 */
 
     d = tmp_20k_buf;
     if(parmlist = rfc2231_newparmlist(params)){
--- pine4.44/pine/strings.c.orig	2001-10-18 20:19:04.000000000 +0100
+++ pine4.44/pine/strings.c	2003-09-10 09:36:25.000000000 +0100
@@ -3611,7 +3611,8 @@
     char      *name, **charset, **lang;
 {
     char *buf, *p;
-    int	  decode = 0, name_len, i, n;
+    int	  decode = 0, name_len, i;
+    unsigned n;
 
     name_len = strlen(name);
     for(; parms ; parms = parms->next)
@@ -3632,15 +3633,19 @@
 		    n = 0;
 		    do
 		      n = (n * 10) + (*p - '0');
-		    while(isdigit(*++p));
+		    while(isdigit(*++p) && n < RFC2231_MAX);
 
 		    if(n < RFC2231_MAX){
 			pieces[n] = parms->value;
 			if(n > count)
 			  count = n;
 		    }
-		    else
+		    else {
+			q_status_message1(SM_ORDER | SM_DING, 0, 3,
+			"Invalid attachment parameter segment number: %.25s",
+					 name);
 		      return(NULL);		/* Too many segments! */
+		    }
 
 		    while(parms = parms->next)
 		      if(!struncmp(name, parms->attribute, name_len)){
@@ -3655,8 +3660,12 @@
 		for(i = len = 0; i <= count; i++)
 		  if(pieces[i])
 		    len += strlen(pieces[i]);
-		  else
+		  else{
+		      q_status_message1(SM_ORDER | SM_DING, 0, 3,
+			     "Missing attachment parameter sequence: %.25s",
+					 name);
 		    return(NULL);		/* hole! */
+		  }
 
 		buf = (char *) fs_get((len + 1) * sizeof(char));
 
@@ -3832,7 +3841,7 @@
     if(plist->value)
       fs_give((void **) &plist->value);
 
-    for(pp = plist->list; pp; pp = pp->next)
+    for(pp = plist->list; pp; pp = pp->next){
       /* get a name */
       for(i = 0; i < 32; i++)
 	if(!(plist->attrib[i] = pp->attribute[i]) ||  pp->attribute[i] == '*'){
@@ -3853,6 +3862,11 @@
 
 	    break;
 	}
+      if(i >= 32)
+	q_status_message1(SM_ORDER | SM_DING, 0, 3,
+			  "Overly long attachment parameter ignored: %.25s...",
+			  pp->attribute);
+    }
 
     return(FALSE);
 }
generated by cgit v0.10.2 at 2024-06-16 02:06:46 (GMT)