Fix transport buffer size handling

Broken-by: 59932f7dcd

2 files changed, 5 insertions, 2 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9313c7b28..18db733aa 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -22,6 +22,9 @@ JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
 
 JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
 
+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+
 
 Exim version 4.92
 -----------------
diff --git a/src/src/transport.c b/src/src/transport.c
index 0fa90cb04..f34db0914 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1108,13 +1108,13 @@ DEBUG(D_transport)
 
 if (!(tctx->options & topt_no_body))
   {
-  int size = size_limit;
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;
 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;
-  while (  (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0
 	&& (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))