From 87619bad1dde783294120b699e7073a598b8a425 Mon Sep 17 00:00:00 2001
From: Shaun Amott <shaun@FreeBSD.org>
Date: Fri, 30 Jun 2006 14:38:26 +0000
Subject: [PATCH] Fix IMAP buffer overflow:  
 http://www.securityfocus.com/bid/18642

PR:		ports/99614 [1], ports/99610 [2]
Submitted by:	Udo Schweigert <udo.schweigert@siemens.com> (maintainer) [1],
		J.P. Dinger <jpd@vvtp.tudelft.nl> [2]
Approved by:	ahze (mentor)
---
 mail/mutt/Makefile                    |  2 +-
 mail/mutt/files/patch-imap-browse.c   | 28 +++++++++++++++++++++++++++
 mail/mutt14/Makefile                  |  2 +-
 mail/mutt14/files/patch-imap-browse.c | 28 +++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 mail/mutt/files/patch-imap-browse.c
 create mode 100644 mail/mutt14/files/patch-imap-browse.c

diff --git a/mail/mutt/Makefile b/mail/mutt/Makefile
index 0aacb1f50588..51fb7ee32d85 100644
--- a/mail/mutt/Makefile
+++ b/mail/mutt/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	mutt
 PORTVERSION=	1.4.2.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES+=	mail ipv6
 MASTER_SITES=	ftp://ftp.mutt.org/mutt/ \
 		ftp://ftp.fu-berlin.de/pub/unix/mail/mutt/ \
diff --git a/mail/mutt/files/patch-imap-browse.c b/mail/mutt/files/patch-imap-browse.c
new file mode 100644
index 000000000000..86cda3140e69
--- /dev/null
+++ b/mail/mutt/files/patch-imap-browse.c
@@ -0,0 +1,28 @@
+--- imap/browse.c.orig
++++ imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
+
diff --git a/mail/mutt14/Makefile b/mail/mutt14/Makefile
index 0aacb1f50588..51fb7ee32d85 100644
--- a/mail/mutt14/Makefile
+++ b/mail/mutt14/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	mutt
 PORTVERSION=	1.4.2.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES+=	mail ipv6
 MASTER_SITES=	ftp://ftp.mutt.org/mutt/ \
 		ftp://ftp.fu-berlin.de/pub/unix/mail/mutt/ \
diff --git a/mail/mutt14/files/patch-imap-browse.c b/mail/mutt14/files/patch-imap-browse.c
new file mode 100644
index 000000000000..86cda3140e69
--- /dev/null
+++ b/mail/mutt14/files/patch-imap-browse.c
@@ -0,0 +1,28 @@
+--- imap/browse.c.orig
++++ imap/browse.c
+@@ -505,7 +505,7 @@ static int browse_get_namespace (IMAP_DA
+ 	    if (*s == '\"')
+ 	    {
+ 	      s++;
+-	      while (*s && *s != '\"') 
++	      while (*s && *s != '\"' && n < sizeof (ns) - 1) 
+ 	      {
+ 		if (*s == '\\')
+ 		  s++;
+@@ -516,12 +516,14 @@ static int browse_get_namespace (IMAP_DA
+ 		s++;
+ 	    }
+ 	    else
+-	      while (*s && !ISSPACE (*s)) 
++	      while (*s && !ISSPACE (*s) && n < sizeof (ns) - 1)
+ 	      {
+ 		ns[n++] = *s;
+ 		s++;
+ 	      }
+ 	    ns[n] = '\0';
++	    if (n == sizeof (ns) - 1)
++	      dprint (1, (debugfile, "browse_get_namespace: too long: [%s]\n", ns));
+ 	    /* delim? */
+ 	    s = imap_next_word (s);
+ 	    /* delimiter is meaningless if namespace is "". Why does
+