1 From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001
2 From: Qualys Security Advisory <qsa@qualys.com>
3 Date: Sun, 21 Feb 2021 21:45:19 -0800
4 Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput()
7 src/string.c | 23 ++++++++++++++++++++++-
8 1 file changed, 22 insertions(+), 1 deletion(-)
10 diff --git a/src/string.c b/src/string.c
11 index 3445f8a42..2cdbe7c75 100644
14 @@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the
15 existing length of the string. */
17 unsigned inc = oldsize < 4096 ? 127 : 1023;
19 +if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
20 + log_write(0, LOG_MAIN|LOG_PANIC_DIE,
21 + "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
23 +if (count <= 0) return;
25 +if (count >= INT_MAX/2 - g->ptr)
26 + log_write(0, LOG_MAIN|LOG_PANIC_DIE,
27 + "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
30 g->size = ((p + count + inc) & ~inc) + 1;
32 /* Try to extend an existing allocation. If the result of calling
33 @@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count)
38 + log_write(0, LOG_MAIN|LOG_PANIC_DIE,
39 + "internal error in string_catn (count %d)", count);
43 unsigned inc = count < 4096 ? 127 : 1023;
44 @@ -1201,8 +1217,13 @@ if (!g)
48 +if (g->ptr < 0 || g->ptr > g->size)
49 + log_write(0, LOG_MAIN|LOG_PANIC_DIE,
50 + "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
53 -if (p + count >= g->size)
55 +if (count >= g->size - p)
56 gstring_grow(g, p, count);
58 /* Because we always specify the exact number of characters to copy, we can