--- /dev/null
+From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Sun, 21 Feb 2021 21:45:19 -0800
+Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput()
+
+---
+ src/string.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/string.c b/src/string.c
+index 3445f8a42..2cdbe7c75 100644
+--- a/src/string.c
++++ b/src/string.c
+@@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the
+ existing length of the string. */
+
+ unsigned inc = oldsize < 4096 ? 127 : 1023;
++
++if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
++ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
++ "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
++
++if (count <= 0) return;
++
++if (count >= INT_MAX/2 - g->ptr)
++ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
++ "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
++
++
+ g->size = ((p + count + inc) & ~inc) + 1;
+
+ /* Try to extend an existing allocation. If the result of calling
+@@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count)
+ {
+ int p;
+
++if (count < 0)
++ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
++ "internal error in string_catn (count %d)", count);
++
+ if (!g)
+ {
+ unsigned inc = count < 4096 ? 127 : 1023;
+@@ -1201,8 +1217,13 @@ if (!g)
+ g = string_get(size);
+ }
+
++if (g->ptr < 0 || g->ptr > g->size)
++ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
++ "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
++
+ p = g->ptr;
+-if (p + count >= g->size)
++
++if (count >= g->size - p)
+ gstring_grow(g, p, count);
+
+ /* Because we always specify the exact number of characters to copy, we can
+--
+2.30.2
+
HCoop / hcoop / debian / exim4.git / blobdiff