From 3b6f6b829718ec8a7cf3eb6997d86e83e6c38567 Mon Sep 17 00:00:00 2001 From: Vincent Lefevre <vincent@vinc17.net> Date: Wed, 15 May 2019 13:05:09 +0200 Subject: [PATCH] Avoid undefined behavior on huge integer in a RFC 2231 header. The atoi() function was called on the index, which can potentially be huge in an invalid message and can yield undefined behavior. The mutt_atoi() function is now used for error detection. --- rfc2231.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rfc2231.c b/rfc2231.c index cf92c2ff..e3d8e1a5 100644 --- a/rfc2231.c +++ b/rfc2231.c @@ -146,7 +146,12 @@ void rfc2231_decode_parameters (PARAMETER **headp) encoded = (*t == '*'); *t = '\0'; - index = atoi (s); + /* RFC 2231 says that the index starts at 0 and increments by 1, + thus an overflow should never occur in a valid message, thus + the value INT_MAX in case of overflow does not really matter + (the goal is just to avoid undefined behavior). */ + if (mutt_atoi (s, &index)) + index = INT_MAX; conttmp = rfc2231_new_parameter (); conttmp->attribute = p->attribute; -- 2.24.1