CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

(cherry picked from commit 998e5a9db121c3eff15cac16859bdffd7adcbe57)
author: Qualys Security Advisory <qsa@qualys.com> 2021-02-21 21:49:30 -0800
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2021-04-28 00:40:46 +0200
commit: 638f7ca75694bcbb70cfbe7db2ef52af4aca5c83 (patch)
tree: e8e575e5731684e19995d7c5297e526250bfd082
parent: 1241deaefb71c40436320af7d0bd04c7c9e54241 (diff)
download: exim4-638f7ca75694bcbb70cfbe7db2ef52af4aca5c83.tar.gz
2 files changed, 6 insertions, 0 deletions
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index a8b92d0be..258ec03e4 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -831,6 +831,9 @@ Returns:       the character
 int
 smtp_ungetc(int ch)
 {
+if (smtp_inptr <= smtp_inbuffer)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
+
 *--smtp_inptr = ch;
 return ch;
 }
diff --git a/src/src/tls.c b/src/src/tls.c
index e5aabc6b4..d37a8f9ff 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -157,6 +157,9 @@ Returns:       the character
 int
 tls_ungetc(int ch)
 {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
 return ch;
 }
author	Qualys Security Advisory <qsa@qualys.com>	2021-02-21 21:49:30 -0800
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2021-04-28 00:40:46 +0200
commit	638f7ca75694bcbb70cfbe7db2ef52af4aca5c83 (patch)
tree	e8e575e5731684e19995d7c5297e526250bfd082
parent	1241deaefb71c40436320af7d0bd04c7c9e54241 (diff)
download	exim4-638f7ca75694bcbb70cfbe7db2ef52af4aca5c83.tar.gz