(util_finish): Fix potential vulnerability (IDEF0954).

@@ -199,13 +199,14 @@ util_msgset (char *s, size_t ** set, int *n, int isuid)
 	  {
 	    errno = 0;
 	    val = strtoul (s, &s, 10);
-	    if (val == ULONG_MAX && errno == ERANGE)
+	    if ((val == ULONG_MAX && errno == ERANGE) || val > max)
 	      {
 		if (*set)
 		  free (*set);
 		*n = 0;
 		return EINVAL;
 	      }
+	    
 	    if (low)
 	      {
 		/* Reverse it. */
@@ -400,26 +401,40 @@ util_out (int rc, const char *format, ...)
 int
 util_finish (struct imap4d_command *command, int rc, const char *format, ...)
 {
-  char *tempbuf = NULL;
+  size_t size;
   char *buf = NULL;
+  char *tempbuf = NULL;
   int new_state;
   int status = 0;
   va_list ap;
-
-  asprintf (&tempbuf, "%s %s%s %s\r\n", command->tag, sc2string (rc),
-	    command->name, format);
+  char *sc = sc2string (rc);
+  
   va_start (ap, format);
-  vasprintf (&buf, tempbuf, ap);
+  vasprintf (&tempbuf, format, ap);
   va_end (ap);
+  if (!tempbuf)
+    imap4d_bye (ERR_NO_MEM);
+  
+  size = strlen (command->tag) + 1 +
+         strlen (sc) + strlen (command->name) + 1 +
+         strlen (tempbuf) + 1;
+  buf = malloc (size);
   if (!buf)
     imap4d_bye (ERR_NO_MEM);
+  strcpy (buf, command->tag);
+  strcat (buf, " ");
+  strcat (buf, sc);
+  strcat (buf, command->name);
+  strcat (buf, " ");
+  strcat (buf, tempbuf);
+  free (tempbuf);
 
   if (daemon_param.transcript)
-    syslog (LOG_DEBUG, "sent: %s", buf);
+    syslog (LOG_DEBUG, "sent: %s\r\n", buf);
 
-  status = stream_sequential_write (ostream, buf, strlen (buf));
+  stream_sequential_write (ostream, buf, strlen (buf));
   free (buf);
-  free (tempbuf);
+  stream_sequential_write (ostream, "\r\n", 2);
 
   /* Reset the state.  */
   if (rc == RESP_OK)