Gitweb:
https://git.exim.org/exim.git/commitdiff/70069b65a39a7ba73a36fbd95371ff03cde1eb23
Commit: 70069b65a39a7ba73a36fbd95371ff03cde1eb23
Parent: 04e5caa9a7e84b2afca642d28096d988cb6802e7
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Feb 2 20:00:35 2023 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Feb 2 20:00:35 2023 +0000
Fix crash in expansions
Broken-by: 1058096b8c53
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/expand.c | 9 +++++----
test/stderr/0630 | 1 +
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d85af1786..bad73cc7b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -105,6 +105,10 @@ JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect
JH/21 Bug 2434: Add connection-elapsed "D=" element to more connection
closure log lines.
+JH/23 Fix crash in string expansions. Previously, if an empty variable was
+ immediately followed by an expansion operator, a null-indirection read
+ was done, killing the process.
+
Exim version 4.96
-----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index 10f009ce2..a7e6e4fb3 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -4747,7 +4747,7 @@ while (*s)
continue;
}
- if (isdigit(*s))
+ if (isdigit(*s)) /* A $<n> variable */
{
int n;
s = read_cnumber(&n, s);
@@ -7165,6 +7165,7 @@ NOT_ITEM: ;
/* Deal specially with operators that might take a certificate variable
as we do not want to do the usual expansion. For most, expand the string.*/
+
switch(c)
{
#ifndef DISABLE_TLS
@@ -7213,7 +7214,7 @@ NOT_ITEM: ;
to the main loop top. */
{
- int start = yield->ptr;
+ unsigned expansion_start = gstring_length(yield);
switch(c)
{
case EOP_BASE32:
@@ -8275,8 +8276,8 @@ NOT_ITEM: ;
DEBUG(D_expand)
{
- const uschar * s = yield->s + start;
- int i = yield->ptr - start;
+ const uschar * s = yield->s + expansion_start;
+ int i = gstring_length(yield) - expansion_start;
BOOL tainted = is_tainted(s);
DEBUG(D_noutf8)
diff --git a/test/stderr/0630 b/test/stderr/0630
index 28904eb94..3ecc9dcbd 100644
--- a/test/stderr/0630
+++ b/test/stderr/0630
@@ -1,3 +1,4 @@
+01:01:01 p1235 no domain retry record
01:01:01 p1235 no address retry record
01:01:01 p1235 dest3@???: queued for routing
01:01:01 p1235 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
