[exim-cvs] Fix crash in expansions

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] Fix crash in expansions
Gitweb: https://git.exim.org/exim.git/commitdiff/70069b65a39a7ba73a36fbd95371ff03cde1eb23
Commit:     70069b65a39a7ba73a36fbd95371ff03cde1eb23
Parent:     04e5caa9a7e84b2afca642d28096d988cb6802e7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Feb 2 20:00:35 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Feb 2 20:00:35 2023 +0000


    Fix crash in expansions


    Broken-by: 1058096b8c53
---
 doc/doc-txt/ChangeLog | 4 ++++
 src/src/expand.c      | 9 +++++----
 test/stderr/0630      | 1 +
 3 files changed, 10 insertions(+), 4 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d85af1786..bad73cc7b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -105,6 +105,10 @@ JH/20 Fix TLSA lookups.  Previously dns_again_means_nonexist would affect
 JH/21 Bug 2434: Add connection-elapsed "D=" element to more connection
       closure log lines.


+JH/23 Fix crash in string expansions. Previously, if an empty variable was
+      immediately followed by an expansion operator, a null-indirection read
+      was done, killing the process.
+


 Exim version 4.96
 -----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index 10f009ce2..a7e6e4fb3 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -4747,7 +4747,7 @@ while (*s)
     continue;
     }


-  if (isdigit(*s))
+  if (isdigit(*s))        /* A $<n> variable */
     {
     int n;
     s = read_cnumber(&n, s);
@@ -7165,6 +7165,7 @@ NOT_ITEM: ;


     /* Deal specially with operators that might take a certificate variable
     as we do not want to do the usual expansion. For most, expand the string.*/
+
     switch(c)
       {
 #ifndef DISABLE_TLS
@@ -7213,7 +7214,7 @@ NOT_ITEM: ;
     to the main loop top. */


      {
-     int start = yield->ptr;
+     unsigned expansion_start = gstring_length(yield);
      switch(c)
       {
       case EOP_BASE32:
@@ -8275,8 +8276,8 @@ NOT_ITEM: ;


        DEBUG(D_expand)
     {
-    const uschar * s = yield->s + start;
-    int i = yield->ptr - start;
+    const uschar * s = yield->s + expansion_start;
+    int i = gstring_length(yield) - expansion_start;
     BOOL tainted = is_tainted(s);


     DEBUG(D_noutf8)
diff --git a/test/stderr/0630 b/test/stderr/0630
index 28904eb94..3ecc9dcbd 100644
--- a/test/stderr/0630
+++ b/test/stderr/0630
@@ -1,3 +1,4 @@
+01:01:01 p1235  no   domain  retry record
 01:01:01 p1235  no   address retry record
 01:01:01 p1235  dest3@???: queued for routing
 01:01:01 p1235  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>