[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    [Bug 71549] QGArray::at: Absolute index out of range
From:       Martin Koller <m.koller () surfeu ! at>
Date:       2007-02-12 22:17:15
Message-ID: 20070212221715.3330.qmail () ktown ! kde ! org
[Download RAW message or body]

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
         
http://bugs.kde.org/show_bug.cgi?id=71549         
m.koller surfeu at changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From m.koller surfeu at  2007-02-12 23:17 -------
SVN commit 633012 by mkoller:

BUG: 71549

Make sure that a corrupted .ids file does not allocate huge amount
of memory by checking consistency of file length vs. number of
items expected.

The patch does not cure the original problem why the ids
file has corrupt content. I could not find a way how this can happen
up till now


 M  +15 -2     kmmsgdict.cpp  


--- branches/KDE/3.5/kdepim/kmail/kmmsgdict.cpp #633011:633012
 @ -16,6 +16,7  @
 #include <stdio.h>
 #include <unistd.h>
 
+#include <string.h>
 #include <errno.h>
 
 #include <config.h>
 @ -73,8 +74,7  @
   KMMsgDictREntry(int size = 0)
   {
     array.resize(size);
-    for (int i = 0; i < size; i++)
-      array.at(i) = 0;
+    memset(array.data(), 0, array.size() * sizeof(KMMsgDictEntry *));  // faster than a loop
     fp = 0;
     swapByteOrder = false;
     baseOffset = 0;
 @ -412,6 +412,19  @
   if (swapByteOrder)
      count = kmail_swap_32(count);
 
+  // quick consistency check to avoid allocating huge amount of memory
+  // due to reading corrupt file (#71549)
+  long pos = ftell(fp);       // store current position
+  fseek(fp, 0, SEEK_END);
+  long fileSize = ftell(fp);  // how large is the file ?
+  fseek(fp, pos, SEEK_SET);   // back to previous position
+
+  // the file must at least contain what we try to read below
+  if ( (fileSize - pos) < (count * sizeof(Q_UINT32)) ) {
+    fclose(fp);
+    return -1;
+  }
+
   KMMsgDictREntry *rentry = new KMMsgDictREntry(count);
 
   for (unsigned int index = 0; index < count; index++) {
_______________________________________________
KMail developers mailing list
KMail-devel@kde.org
https://mail.kde.org/mailman/listinfo/kmail-devel
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic