(pop_stat, pop_last): Check validity of string-to-integer

conversion.  Mistakes spotted by Nico Golde.

1 files changed, 29 insertions, 3 deletions

diff --git a/lib-src/pop.c b/lib-src/pop.c
index e8cf42b320a..5dc5de75583 100644
--- a/lib-src/pop.c
+++ b/lib-src/pop.c
@@ -352,6 +352,7 @@ pop_stat (server, count, size)
      int *size;
 {
   char *fromserver;
+  char *end_ptr;
 
   if (server->in_multi)
     {
@@ -377,7 +378,15 @@ pop_stat (server, count, size)
       return (-1);
     }
 
-  *count = atoi (&fromserver[4]);
+  errno = 0;
+  *count = strtol (&fromserver[4], &end_ptr, 10);
+  /* Check validity of string-to-integer conversion. */
+  if (fromserver[4] == 0 || *end_ptr != 0 || errno)
+    {
+      strcpy (pop_error, "Unexpected response from POP server in pop_stat");
+      pop_trash (server);
+      return (-1);
+    }
 
   fromserver = index (&fromserver[4], ' ');
   if (! fromserver)
@@ -388,7 +397,14 @@ pop_stat (server, count, size)
       return (-1);
     }
 
-  *size = atoi (fromserver + 1);
+  errno = 0;
+  *size = strtol (fromserver + 1, &end_ptr, 10);
+  if (*(fromserver + 1) == 0 || *end_ptr != 0 || errno)
+    {
+      strcpy (pop_error, "Unexpected response from POP server in pop_stat");
+      pop_trash (server);
+      return (-1);
+    }
 
   return (0);
 }
@@ -913,7 +929,17 @@ pop_last (server)
     }
   else
     {
-      return (atoi (&fromserver[4]));
+      char *end_ptr;
+      int count;
+      errno = 0;
+      count = strtol (&fromserver[4], &end_ptr, 10);
+      if (fromserver[4] == 0 || *end_ptr != 0 || errno)
+	{
+	  strcpy (pop_error, "Unexpected response from server in pop_last");
+	  pop_trash (server);
+	  return (-1);
+	}
+      return count;
     }
 }