[hcoop/debian/exim4.git] / debian / patches / 84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch

From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 21:45:19 -0800
Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput()

---
 src/string.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/string.c b/src/string.c
index 3445f8a42..2cdbe7c75 100644
--- a/src/string.c
+++ b/src/string.c
@@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the
 existing length of the string. */
 
 unsigned inc = oldsize < 4096 ? 127 : 1023;
+
+if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
+
+if (count <= 0) return;
+
+if (count >= INT_MAX/2 - g->ptr)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
+
+
 g->size = ((p + count + inc) & ~inc) + 1;
 
 /* Try to extend an existing allocation. If the result of calling
@@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count)
 {
 int p;
 
+if (count < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "internal error in string_catn (count %d)", count);
+
 if (!g)
   {
   unsigned inc = count < 4096 ? 127 : 1023;
@@ -1201,8 +1217,13 @@ if (!g)
   g = string_get(size);
   }
 
+if (g->ptr < 0 || g->ptr > g->size)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
+
 p = g->ptr;
-if (p + count >= g->size)
+
+if (count >= g->size - p)
   gstring_grow(g, p, count);
 
 /* Because we always specify the exact number of characters to copy, we can
-- 
2.30.2
Commit	Line	Data
0c0c20aa AM	1	From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 21:45:19 -0800
	4	Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput()
	5
	6	---
	7	src/string.c \| 23 ++++++++++++++++++++++-
	8	1 file changed, 22 insertions(+), 1 deletion(-)
	9
	10	diff --git a/src/string.c b/src/string.c
	11	index 3445f8a42..2cdbe7c75 100644
	12	--- a/src/string.c
	13	+++ b/src/string.c
	14	@@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the
	15	existing length of the string. */
	16
	17	unsigned inc = oldsize < 4096 ? 127 : 1023;
	18	+
	19	+if (g->ptr < 0 \|\| g->ptr > g->size \|\| g->size >= INT_MAX/2)
	20	+ log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
	21	+ "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
	22	+
	23	+if (count <= 0) return;
	24	+
	25	+if (count >= INT_MAX/2 - g->ptr)
	26	+ log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
	27	+ "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
	28	+
	29	+
	30	g->size = ((p + count + inc) & ~inc) + 1;
	31
	32	/* Try to extend an existing allocation. If the result of calling
	33	@@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count)
	34	{
	35	int p;
	36
	37	+if (count < 0)
	38	+ log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
	39	+ "internal error in string_catn (count %d)", count);
	40	+
	41	if (!g)
	42	{
	43	unsigned inc = count < 4096 ? 127 : 1023;
	44	@@ -1201,8 +1217,13 @@ if (!g)
	45	g = string_get(size);
	46	}
	47
	48	+if (g->ptr < 0 \|\| g->ptr > g->size)
	49	+ log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
	50	+ "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
	51	+
	52	p = g->ptr;
	53	-if (p + count >= g->size)
	54	+
	55	+if (count >= g->size - p)
	56	gstring_grow(g, p, count);
	57
	58	/* Because we always specify the exact number of characters to copy, we can
	59	--
	60	2.30.2
	61