Submitted By: Ag. Hatzimanikas
Date: 2006-08-09
Initial Package Version: 1.5.11
Origin: From Upstream
Upstream Status: Applied
	http://dev.mutt.org/cgi-bin/gitweb.cgi?p=mutt/.git;a=commit;h=dc0272b749f0e2b102973b7ac43dbd3908507540
Description: Fixes a buffer overflow.
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242

diff -Naur mutt-1.5.11.orig/imap/browse.c mutt-1.5.11/imap/browse.c
--- mutt-1.5.11.orig/imap/browse.c	2005-08-11 22:37:02.000000000 +0300
+++ mutt-1.5.11/imap/browse.c	2006-07-18 23:23:01.000000000 +0300
@@ -512,7 +512,7 @@
 	    if (*s == '\"')
 	    {
 	      s++;
-	      while (*s && *s != '\"') 
+	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
 	      {
 		if (*s == '\\')
 		  s++;
@@ -523,12 +523,14 @@
 		s++;
 	    }
 	    else
-	      while (*s && !ISSPACE (*s)) 
+	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
 	      {
 		ns[n++] = *s;
 		s++;
 	      }
 	    ns[n] = '\0';
+	    if (n == sizeof (ns) - 1)
+	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
 	    /* delim? */
 	    s = imap_next_word (s);
 	    /* delimiter is meaningless if namespace is "". Why does