From 89e05910d1e5ccdb1e667e0a42f3645e3b46d77f Mon Sep 17 00:00:00 2001 From: ellie timoney Date: Mon, 2 Dec 2024 14:46:42 +1100 Subject: [PATCH] mboxlist: better dbname/key INBOX bounds checking Fixes #5146 --- imap/mboxlist.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/imap/mboxlist.c b/imap/mboxlist.c index 8270490fc0..b3fceccc65 100644 --- a/imap/mboxlist.c +++ b/imap/mboxlist.c @@ -378,7 +378,10 @@ static void mboxlist_dbname_to_key(const char *dbname, size_t len, char *inbox = mbname_dbname(mbname); size_t inboxlen = strlen(inbox); - if (len >= inboxlen && !strncmp(dbname, inbox, inboxlen)) { + if (len >= inboxlen + && (!dbname[inboxlen] || dbname[inboxlen] == DB_HIERSEP_CHAR) + && !strncmp(dbname, inbox, inboxlen)) + { buf_appendcstr(key, "INBOX"); dbname += inboxlen; len -= inboxlen; @@ -394,7 +397,13 @@ static void mboxlist_dbname_to_key(const char *dbname, size_t len, static void mboxlist_dbname_from_key(const char *key, size_t len, const char *userid, struct buf *dbname) { - if (userid && len >= 6 && !strncmp(key+1, "INBOX", 5)) { + assert(key[0] == KEY_TYPE_NAME); + + if (userid + && len >= 6 + && (!key[6] || key[6] == DB_HIERSEP_CHAR) + && !strncmp(key+1, "INBOX", 5)) + { mbname_t *mbname = mbname_from_userid(userid); char *inbox = mbname_dbname(mbname);