From 3b6f6b829718ec8a7cf3eb6997d86e83e6c38567 Mon Sep 17 00:00:00 2001
From: Vincent Lefevre <vincent@vinc17.net>
Date: Wed, 15 May 2019 13:05:09 +0200
Subject: [PATCH] Avoid undefined behavior on huge integer in a RFC 2231
 header.

The atoi() function was called on the index, which can potentially
be huge in an invalid message and can yield undefined behavior. The
mutt_atoi() function is now used for error detection.
---
 rfc2231.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rfc2231.c b/rfc2231.c
index cf92c2ff..e3d8e1a5 100644
--- a/rfc2231.c
+++ b/rfc2231.c
@@ -146,7 +146,12 @@ void rfc2231_decode_parameters (PARAMETER **headp)
       encoded = (*t == '*');
       *t = '\0';
 
-      index = atoi (s);
+      /* RFC 2231 says that the index starts at 0 and increments by 1,
+         thus an overflow should never occur in a valid message, thus
+         the value INT_MAX in case of overflow does not really matter
+         (the goal is just to avoid undefined behavior). */
+      if (mutt_atoi (s, &index))
+        index = INT_MAX;
 
       conttmp = rfc2231_new_parameter ();
       conttmp->attribute = p->attribute;
-- 
2.24.1