From 70069b65a39a7ba73a36fbd95371ff03cde1eb23 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 2 Feb 2023 20:00:35 +0000 Subject: [PATCH] Fix crash in expansions Broken-by: 1058096b8c53 --- doc/doc-txt/ChangeLog | 4 ++++ src/src/expand.c | 9 +++++---- test/stderr/0630 | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d85af1786..bad73cc7b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -105,6 +105,10 @@ JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect JH/21 Bug 2434: Add connection-elapsed "D=" element to more connection closure log lines. +JH/23 Fix crash in string expansions. Previously, if an empty variable was + immediately followed by an expansion operator, a null-indirection read + was done, killing the process. + Exim version 4.96 ----------------- diff --git a/src/src/expand.c b/src/src/expand.c index 10f009ce2..a7e6e4fb3 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -4747,7 +4747,7 @@ while (*s) continue; } - if (isdigit(*s)) + if (isdigit(*s)) /* A $ variable */ { int n; s = read_cnumber(&n, s); @@ -7165,6 +7165,7 @@ NOT_ITEM: ; /* Deal specially with operators that might take a certificate variable as we do not want to do the usual expansion. For most, expand the string.*/ + switch(c) { #ifndef DISABLE_TLS @@ -7213,7 +7214,7 @@ NOT_ITEM: ; to the main loop top. */ { - int start = yield->ptr; + unsigned expansion_start = gstring_length(yield); switch(c) { case EOP_BASE32: @@ -8275,8 +8276,8 @@ NOT_ITEM: ; DEBUG(D_expand) { - const uschar * s = yield->s + start; - int i = yield->ptr - start; + const uschar * s = yield->s + expansion_start; + int i = gstring_length(yield) - expansion_start; BOOL tainted = is_tainted(s); DEBUG(D_noutf8) diff --git a/test/stderr/0630 b/test/stderr/0630 index 28904eb94..3ecc9dcbd 100644 --- a/test/stderr/0630 +++ b/test/stderr/0630 @@ -1,3 +1,4 @@ +01:01:01 p1235 no domain retry record 01:01:01 p1235 no address retry record 01:01:01 p1235 dest3@test.ex: queued for routing 01:01:01 p1235 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -- 2.30.2