Package: dovecot / 1:2.2.13-12~deb8u4

fix-mbox-corruption-18534.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From: Timo Sirainen <tss@iki.fi>
Subject: mbox: Fixed crash/corruption in some situations when the first mail was expunged.

--- a/src/lib-storage/index/mbox/mbox-sync.c
+++ b/src/lib-storage/index/mbox/mbox-sync.c
@@ -630,7 +630,7 @@
 static int mbox_sync_handle_header(struct mbox_sync_mail_context *mail_ctx)
 {
 	struct mbox_sync_context *sync_ctx = mail_ctx->sync_ctx;
-	uoff_t orig_from_offset;
+	uoff_t orig_from_offset, postlf_from_offset = (uoff_t)-1;
 	off_t move_diff;
 	int ret;
 
@@ -647,6 +647,7 @@
 			if (sync_ctx->first_mail_crlf_expunged)
 				mail_ctx->mail.from_offset++;
 		}
+		postlf_from_offset = mail_ctx->mail.from_offset;
 
 		/* read the From-line before rewriting overwrites it */
 		if (mbox_read_from_line(mail_ctx) < 0)
@@ -700,10 +701,16 @@
 			/* create dummy message to describe the expunged data */
 			struct mbox_sync_mail mail;
 
+			/* if this is going to be the first mail, increase the
+			   from_offset to point to the beginning of the
+			   From-line, because the previous [CR]LF is already
+			   covered by expunged_space. */
+			i_assert(postlf_from_offset != (uoff_t)-1);
+			mail_ctx->mail.from_offset = postlf_from_offset;
+
 			memset(&mail, 0, sizeof(mail));
 			mail.expunged = TRUE;
 			mail.offset = mail.from_offset =
-				(sync_ctx->dest_first_mail ? 1 : 0) +
 				mail_ctx->mail.from_offset -
 				sync_ctx->expunged_space;
 			mail.space = sync_ctx->expunged_space;