Fix transport buffer size handling

Broken-by: 59932f7dcd

(cherry picked from commit 05bf16f6217e93594929c8bbbbbc852caf3ed374)
(cherry picked from commit 1cfa7822ca8928f95160df8742af11fff888ae7e)

2 files changed, 9 insertions, 2 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d182115e4..1e4322491 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -11,6 +11,13 @@ Exim version 4.92.1
 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006)
 
 
+Since version 4.92
+------------------
+
+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+
+
 Exim version 4.92
 -----------------
 
diff --git a/src/src/transport.c b/src/src/transport.c
index 8ccdd0389..a069b8833 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1115,13 +1115,13 @@ DEBUG(D_transport)
 
 if (!(tctx->options & topt_no_body))
   {
-  int size = size_limit;
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;
 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;
-  while (  (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0
 	&& (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))