| 1 | From 2600301ba6dbac5c9d640c87007a07ee6dcea1f4 Mon Sep 17 00:00:00 2001 |
| 2 | From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> |
| 3 | Date: Mon, 19 Aug 2019 14:45:48 +0200 |
| 4 | Subject: [PATCH] string.c: do not interpret '\\' before '\0' (CVE-2019-15846) |
| 5 | |
| 6 | |
| 7 | --- a/doc/ChangeLog |
| 8 | +++ b/doc/ChangeLog |
| 9 | @@ -4,6 +4,11 @@ This document describes *changes* to pre |
| 10 | affect Exim's operation, with an unchanged configuration file. For new |
| 11 | options, and new features, see the NewStuff file next to this ChangeLog. |
| 12 | |
| 13 | +Exim version 4.92.2 |
| 14 | +------------------- |
| 15 | + |
| 16 | +HS/01 Handle trailing backslash gracefully. (CVE-2019-15846) |
| 17 | + |
| 18 | |
| 19 | Since version 4.92 |
| 20 | ------------------ |
| 21 | --- a/src/string.c |
| 22 | +++ b/src/string.c |
| 23 | @@ -224,6 +224,8 @@ interpreted in strings. |
| 24 | Arguments: |
| 25 | pp points a pointer to the initiating "\" in the string; |
| 26 | the pointer gets updated to point to the final character |
| 27 | + If the backslash is the last character in the string, it |
| 28 | + is not interpreted. |
| 29 | Returns: the value of the character escape |
| 30 | */ |
| 31 | |
| 32 | @@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789 |
| 33 | int ch; |
| 34 | const uschar *p = *pp; |
| 35 | ch = *(++p); |
| 36 | +if (ch == '\0') return **pp; |
| 37 | if (isdigit(ch) && ch != '8' && ch != '9') |
| 38 | { |
| 39 | ch -= '0'; |
| 40 | @@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count); |
| 41 | g->ptr = p + count; |
| 42 | return g; |
| 43 | } |
| 44 | - |
| 45 | - |
| 46 | + |
| 47 | + |
| 48 | gstring * |
| 49 | string_cat(gstring *string, const uschar *s) |
| 50 | { |