41 lines
1.2 KiB
Diff
41 lines
1.2 KiB
Diff
From 7c4779ac24d2fb68a2a47b58c7904118f40965d5 Mon Sep 17 00:00:00 2001
|
|
From: Kevin McCarthy <kevin@8t8.us>
|
|
Date: Mon, 3 May 2021 13:11:30 -0700
|
|
Subject: [PATCH] Fix seqset iterator when it ends in a comma.
|
|
|
|
If the seqset ended with a comma, the substr_end marker would be just
|
|
before the trailing nul. In the next call, the loop to skip the
|
|
marker would iterate right past the end of string too.
|
|
|
|
The fix is simple: place the substr_end marker and skip past it
|
|
immediately.
|
|
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
[Peter: fixes CVE-2021-32055]
|
|
---
|
|
imap/util.c | 4 +---
|
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/imap/util.c b/imap/util.c
|
|
index c529fd8f..488e8396 100644
|
|
--- a/imap/util.c
|
|
+++ b/imap/util.c
|
|
@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, unsigned int *next)
|
|
if (iter->substr_cur == iter->eostr)
|
|
return 1;
|
|
|
|
- while (!*(iter->substr_cur))
|
|
- iter->substr_cur++;
|
|
iter->substr_end = strchr (iter->substr_cur, ',');
|
|
if (!iter->substr_end)
|
|
iter->substr_end = iter->eostr;
|
|
else
|
|
- *(iter->substr_end) = '\0';
|
|
+ *(iter->substr_end++) = '\0';
|
|
|
|
range_sep = strchr (iter->substr_cur, ':');
|
|
if (range_sep)
|
|
--
|
|
2.20.1
|
|
|