Gitweb:
https://git.exim.org/exim.git/commitdiff/afd37f7448663232f90217006956b1f37b6005bc
Commit: afd37f7448663232f90217006956b1f37b6005bc
Parent: b4d476116397d395fb9b424e1e4387736865190c
Author: Qualys Security Advisory <qsa@???>
AuthorDate: Sun Feb 21 21:45:19 2021 -0800
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:52 2021 +0200
CVE-2020-28009: Integer overflow in get_stdinput()
(cherry picked from commit bbf1bb10bee5a1d7cbcc97f178b348189219eb7d)
(cherry picked from commit 1241deaefb71c40436320af7d0bd04c7c9e54241)
---
src/src/string.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/src/string.c b/src/src/string.c
index cb91324..64d1443 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -1094,7 +1094,16 @@ existing length of the string. */
unsigned inc = oldsize < 4096 ? 127 : 1023;
+if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
+
if (count <= 0) return;
+
+if (count >= INT_MAX/2 - g->ptr)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
+
g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */
/* Try to extend an existing allocation. If the result of calling
@@ -1143,6 +1152,10 @@ string_catn(gstring * g, const uschar *s, int count)
int p;
BOOL srctaint = is_tainted(s);
+if (count < 0)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in string_catn (count %d)", count);
+
if (!g)
{
unsigned inc = count < 4096 ? 127 : 1023;
@@ -1152,8 +1165,12 @@ if (!g)
else if (srctaint && !is_tainted(g->s))
gstring_rebuffer(g);
+if (g->ptr < 0 || g->ptr > g->size)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
+
p = g->ptr;
-if (p + count >= g->size)
+if (count >= g->size - p)
gstring_grow(g, count);
/* Because we always specify the exact number of characters to copy, we can
