More checks on header line length during reception

2 files changed, 11 insertions, 2 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a3de86432..e2dd71b2b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -187,6 +187,10 @@ JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT.  Previously
       it only wrote the new authenticators, resulting in a lack of tracking of
       peer changes of ESMTP extensions until the next cache flush.
 
+JH/41 Fix the loop reading a message header line to check for integer overflow,
+      and more-often against header_maxsize.  Previously a crafted message could
+      induce a crash of the recive process; now the message is cleanly rejected.
+
 
 Exim version 4.91
 -----------------
diff --git a/src/src/receive.c b/src/src/receive.c
index 6d54ad33c..a0467e8c8 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1827,8 +1827,11 @@ for (;;)
   if (ptr >= header_size - 4)
     {
     int oldsize = header_size;
-    /* header_size += 256; */
+
+    if (header_size >= INT_MAX/2)
+      goto OVERSIZE;
     header_size *= 2;
+
     if (!store_extend(next->text, oldsize, header_size))
       next->text = store_newblock(next->text, header_size, ptr);
     }
@@ -1934,6 +1937,7 @@ for (;;)
 
   if (message_size >= header_maxsize)
     {
+OVERSIZE:
     next->text[ptr] = 0;
     next->slen = ptr;
     next->type = htype_other;
@@ -2005,7 +2009,8 @@ for (;;)
     if (nextch == ' ' || nextch == '\t')
       {
       next->text[ptr++] = nextch;
-      message_size++;
+      if (++message_size >= header_maxsize)
+	goto OVERSIZE;
       continue;                      /* Iterate the loop */
       }
     else if (nextch != EOF) (receive_ungetc)(nextch);   /* For next time */