Commit a386719e authored by Byrial Jensen's avatar Byrial Jensen

There is a possible buffer overflow due an off-by-one error in

imap/util.c, line 125. The error is in the maximum field width
indication in the sscanf() call. You must have room in the receiving
buffer for this number of characters /plus a terminating NULL
character/.
parent 8c3ecaf6
......@@ -122,7 +122,7 @@ int imap_parse_path (const char* path, IMAP_MBOX* mx)
else
{
FREE (&c);
if (sscanf (path, "{%128[^}]}", tmp) != 1)
if (sscanf (path, "{%127[^}]}", tmp) != 1)
return -1;
c = strchr (path, '}');
......@@ -140,7 +140,7 @@ int imap_parse_path (const char* path, IMAP_MBOX* mx)
mx->account.flags |= M_ACCT_USER;
}
if ((n = sscanf (tmp, "%128[^:/]%128s", mx->account.host, tmp)) < 1)
if ((n = sscanf (tmp, "%127[^:/]%127s", mx->account.host, tmp)) < 1)
{
dprint (1, (debugfile, "imap_parse_path: NULL host in %s\n", path));
FREE (&mx->mbox);
......@@ -148,7 +148,7 @@ int imap_parse_path (const char* path, IMAP_MBOX* mx)
}
if (n > 1) {
if (sscanf (tmp, ":%hd%128s", &(mx->account.port), tmp) >= 1)
if (sscanf (tmp, ":%hd%127s", &(mx->account.port), tmp) >= 1)
mx->account.flags |= M_ACCT_PORT;
if (sscanf (tmp, "/%s", tmp) == 1)
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment