diff options
author | Qualys Security Advisory <qsa@qualys.com> | 2021-02-21 21:45:19 -0800 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:45 +0200 |
commit | 1241deaefb71c40436320af7d0bd04c7c9e54241 (patch) | |
tree | 7e5327694c92dd5dcffabc736751be266ec5ca75 | |
parent | fcddccd650178ceeec3655c6c40f420164a8706e (diff) | |
download | exim4-1241deaefb71c40436320af7d0bd04c7c9e54241.tar.gz |
CVE-2020-28009: Integer overflow in get_stdinput()
(cherry picked from commit bbf1bb10bee5a1d7cbcc97f178b348189219eb7d)
-rw-r--r-- | src/src/string.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/src/string.c b/src/src/string.c index f91a6a428..27e030bd8 100644 --- a/src/src/string.c +++ b/src/src/string.c @@ -1091,7 +1091,16 @@ existing length of the string. */ unsigned inc = oldsize < 4096 ? 127 : 1023; +if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size); + if (count <= 0) return; + +if (count >= INT_MAX/2 - g->ptr) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in gstring_grow (ptr %d count %d)", g->ptr, count); + g->size = (p + count + inc + 1) & ~inc; /* one for a NUL */ /* Try to extend an existing allocation. If the result of calling @@ -1140,6 +1149,10 @@ string_catn(gstring * g, const uschar *s, int count) int p; BOOL srctaint = is_tainted(s); +if (count < 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in string_catn (count %d)", count); + if (!g) { unsigned inc = count < 4096 ? 127 : 1023; @@ -1149,8 +1162,12 @@ if (!g) else if (srctaint && !is_tainted(g->s)) gstring_rebuffer(g); +if (g->ptr < 0 || g->ptr > g->size) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "internal error in string_catn (ptr %d size %d)", g->ptr, g->size); + p = g->ptr; -if (p + count >= g->size) +if (count >= g->size - p) gstring_grow(g, count); /* Because we always specify the exact number of characters to copy, we can |