CVE-2020-28011: Heap buffer overflow in queue_run()

(cherry picked from commit 6e1fb878e95f8e6f838ffde5258c7a969c981865)
author: Qualys Security Advisory <qsa@qualys.com> 2021-02-21 19:22:33 -0800
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2021-04-28 00:40:40 +0200
commit: 08102cbe8102f99b31655aa0e926c45b427efe6d (patch)
tree: eb24d3d03f4677bf1bcf9b75d3b3e852e69193c2
parent: dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7 (diff)
download: exim4-08102cbe8102f99b31655aa0e926c45b427efe6d.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/src/src/queue.c b/src/src/queue.c
index 37d612482..a93a7a55f 100644
--- a/src/src/queue.c
+++ b/src/src/queue.c
@@ -393,12 +393,18 @@ if (!recurse)
     p += sprintf(CS p, " -q%s", extras);
 
   if (deliver_selectstring)
-    p += sprintf(CS p, " -R%s %s", f.deliver_selectstring_regex? "r" : "",
-      deliver_selectstring);
+    {
+    snprintf(CS p, big_buffer_size - (p - big_buffer), " -R%s %s",
+      f.deliver_selectstring_regex? "r" : "", deliver_selectstring);
+    p += Ustrlen(CCS p);
+    }
 
   if (deliver_selectstring_sender)
-    p += sprintf(CS p, " -S%s %s", f.deliver_selectstring_sender_regex? "r" : "",
-      deliver_selectstring_sender);
+    {
+    snprintf(CS p, big_buffer_size - (p - big_buffer), " -S%s %s",
+      f.deliver_selectstring_sender_regex? "r" : "", deliver_selectstring_sender);
+    p += Ustrlen(CCS p);
+    }
 
   log_detail = string_copy(big_buffer);
   if (*queue_name)
author	Qualys Security Advisory <qsa@qualys.com>	2021-02-21 19:22:33 -0800
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2021-04-28 00:40:40 +0200
commit	08102cbe8102f99b31655aa0e926c45b427efe6d (patch)
tree	eb24d3d03f4677bf1bcf9b75d3b3e852e69193c2
parent	dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7 (diff)
download	exim4-08102cbe8102f99b31655aa0e926c45b427efe6d.tar.gz