+------------------------------------------------------------
+revno: 3939
+committer: brendan
+timestamp: Mon 2006-06-19 18:14:03 +0000
+message:
+ From: TAKAHASHI Tamotsu <tamo@momonga-linux.org>
+
+ Fix browse_get_namespace() which could overflow ns[LONG_STRING].
+ (Possible remote vulnerability)
+------------------------------------------------------------
+revno: 3940
+committer: brendan
+timestamp: Mon 2006-06-19 18:14:54 +0000
+message:
+ # changelog commit
+--- ChangeLog.orig
++++ ChangeLog
+@@ -1,3 +1,8 @@
++2006-06-19 18:14:03 TAKAHASHI Tamotsu <tamo@momonga-linux.org> (brendan)
++
++ * imap/browse.c: Fix browse_get_namespace() which could overflow
++ ns[LONG_STRING]. (Possible remote vulnerability)
++
+ 2006-04-03 20:26:14 Brendan Cully <brendan@kublai.com> (brendan)
+
+ * imap/command.c: Don't pass a null destination to imap_fix_path
+--- imap/browse.c.orig
++++ imap/browse.c
+@@ -505,7 +505,7 @@
+ if (*s == '\"')
+ {
+ s++;
+- while (*s && *s != '\"')
++ while (*s && *s != '\"' && n < sizeof (ns) - 1)
+ {
+ if (*s == '\\')
+ s++;
+@@ -516,12 +516,14 @@
+ s++;
+ }
+ else
+- while (*s && !ISSPACE (*s))
++ while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ {
+ ns[n++] = *s;
+ s++;
+ }
+ ns[n] = '\0';
++ if (n == sizeof (ns) - 1)
++ dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ /* delim? */
+ s = imap_next_word (s);
+ /* delimiter is meaningless if namespace is "". Why does