From 37f345bdda1675d3add94d36ac90c2e91b09c77f Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Mon, 25 Mar 2019 22:04:15 +0200
Subject: [PATCH] Fix CVE-2019-7524

commit 71578098bb5056ebc63d9c4f4048ec2034437672
Author: Timo Sirainen <timo.sirainen@open-xchange.com>
Date:   Mon Feb 4 19:25:13 2019 -0800

    fts: Fix buffer overflow when reading oversized fts header

commit b3837ac9574910b584f79e2fae7318624a71dffd
Author: Timo Sirainen <timo.sirainen@open-xchange.com>
Date:   Mon Feb 4 19:23:02 2019 -0800

    lib-storage: Fix buffer overflow when reading oversized hdr-pop3-uidl header
---
 src/lib-storage/index/index-pop3-uidl.c | 4 ++--
 src/plugins/fts/fts-api.c               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib-storage/index/index-pop3-uidl.c b/src/lib-storage/index/index-pop3-uidl.c
index b5c8e0195..6803cfca5 100644
--- a/src/lib-storage/index/index-pop3-uidl.c
+++ b/src/lib-storage/index/index-pop3-uidl.c
@@ -37,7 +37,7 @@ bool index_pop3_uidl_can_exist(struct mail *mail)
 		/* this header isn't set yet */
 		return TRUE;
 	}
-	memcpy(&uidl, data, size);
+	memcpy(&uidl, data, sizeof(uidl));
 	return mail->uid <= uidl.max_uid_with_pop3_uidl;
 }
 
@@ -95,7 +95,7 @@ void index_pop3_uidl_update_exists_finish(struct mailbox_transaction_context *tr
 
 	/* check if we have already the same header */
 	if (size >= sizeof(uidl)) {
-		memcpy(&uidl, data, size);
+		memcpy(&uidl, data, sizeof(uidl));
 		if (trans->highest_pop3_uidl_uid == uidl.max_uid_with_pop3_uidl)
 			return;
 	}
diff --git a/src/plugins/fts/fts-api.c b/src/plugins/fts/fts-api.c
index 4184a4ae2..0cebf1440 100644
--- a/src/plugins/fts/fts-api.c
+++ b/src/plugins/fts/fts-api.c
@@ -425,7 +425,7 @@ bool fts_index_get_header(struct mailbox *box, struct fts_index_header *hdr_r)
 		memset(hdr_r, 0, sizeof(*hdr_r));
 		ret = FALSE;
 	} else {
-		memcpy(hdr_r, data, data_size);
+		memcpy(hdr_r, data, sizeof(*hdr_r));
 		ret = TRUE;
 	}
 	mail_index_view_close(&view);
-- 
2.20.1

