Index: apps/app_voicemail.c
===================================================================
--- apps/app_voicemail.c	(revision 420143)
+++ apps/app_voicemail.c	(working copy)
@@ -861,7 +861,8 @@
 #ifdef IMAP_STORAGE
 	ast_mutex_t lock;
 	int updated;                         /*!< decremented on each mail check until 1 -allows delay */
-	long msgArray[VMSTATE_MAX_MSG_ARRAY];
+	long *msgArray;
+	unsigned msg_array_max;
 	MAILSTREAM *mailstream;
 	int vmArrayIndex;
 	char imapuser[80];                   /*!< IMAP server login */
@@ -2266,6 +2267,7 @@
 		res = -1;
 		goto exit;
 	}
+	ast_assert(msgnum < vms->msg_array_max);
 
 	make_file(vms->fn, sizeof(vms->fn), dir, msgnum);
 	snprintf(vms->introfn, sizeof(vms->introfn), "%sintro", vms->fn);
@@ -3072,6 +3074,18 @@
 	}
 
 	ast_debug(3, "saving mailbox message number %lu as message %d. Interactive set to %d\n", number, vms->vmArrayIndex, vms->interactive);
+
+	/* Ensure we have room for the next message. */
+	if (vms->vmArrayIndex >= vms->msg_array_max) {
+		long *new_mem = ast_realloc(vms->msgArray, 2 * vms->msg_array_max * sizeof(long));
+		if (!new_mem) {
+			ast_log(LOG_ERROR, "Not enougn memory to store IMAP message %d.\n", vms->vmArrayIndex);
+			return;
+		}
+		vms->msgArray = new_mem;
+		vms->msg_array_max *= 2;
+	}
+
 	vms->msgArray[vms->vmArrayIndex++] = number;
 }
 
@@ -3349,6 +3363,7 @@
 		return vms_p;
 	}
 	ast_debug(5, "Adding new vmstate for %s\n", vmu->imapuser);
+	/* XXX: When is this ever freed? And will vms_p->msgArray get freed? */
 	if (!(vms_p = ast_calloc(1, sizeof(*vms_p))))
 		return NULL;
 	ast_copy_string(vms_p->imapuser, vmu->imapuser, sizeof(vms_p->imapuser));
@@ -3463,6 +3478,7 @@
 			vms->newmessages = altvms->newmessages;
 			vms->oldmessages = altvms->oldmessages;
 			vms->vmArrayIndex = altvms->vmArrayIndex;
+			/* XXX: no msgArray copying? */
 			vms->lastmsg = altvms->lastmsg;
 			vms->curmsg = altvms->curmsg;
 			/* get a pointer to the persistent store */
@@ -3521,10 +3537,14 @@
 	
 	if (vc) {
 		ast_mutex_destroy(&vc->vms->lock);
+		ast_free(vc->vms->msgArray);
+		vc->vms->msgArray = NULL;
+		vc->vms->msg_array_max = 0;
+		/* XXX: is no one supposed to free vms itself? */
 		ast_free(vc);
+	} else {
+		ast_log(AST_LOG_ERROR, "No vmstate found for user:%s, mailbox %s\n", vms->imapuser, vms->username);
 	}
-	else
-		ast_log(AST_LOG_ERROR, "No vmstate found for user:%s, mailbox %s\n", vms->imapuser, vms->username);
 }
 
 static void set_update(MAILSTREAM * stream)
@@ -3546,11 +3566,13 @@
 
 static void init_vm_state(struct vm_state *vms)
 {
-	int x;
+	vms->msg_array_max = VMSTATE_MAX_MSG_ARRAY;
+	vms->msgArray = ast_calloc(vms->msg_array_max, sizeof(long));
+	if (!vms->msgArray) {
+		/* Out of mem? This can't be good. */
+		vms->msg_array_max = 0;
+	}
 	vms->vmArrayIndex = 0;
-	for (x = 0; x < VMSTATE_MAX_MSG_ARRAY; x++) {
-		vms->msgArray[x] = 0;
-	}
 	ast_mutex_init(&vms->lock);
 }