SECURITY: Avoid modification of constant data in dkim handling

[exim.git] / src / src / pdkim / pdkim.c

diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 074106b5da11f4c02db4e2df8fc1cedd9bd514a3..45fa2a104a0eb93e6350be9a250a2b53ea567ce9 100644 (file)
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -107,7 +107,7 @@ pdkim_combined_canon_entry pdkim_combined_canons[] = {
 };
 
 
-static blob lineending = {.data = US"\r\n", .len = 2};
+static const blob lineending = {.data = US"\r\n", .len = 2};
 
 /* -------------------------------------------------------------------------- */
 uschar *
@@ -720,9 +720,9 @@ return NULL;
 If we have to relax the data for this sig, return our copy of it. */
 
 static blob *
-pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob const * orig_data, blob * relaxed_data)
+pdkim_update_ctx_bodyhash(pdkim_bodyhash * b, const blob * orig_data, blob * relaxed_data)
 {
-const blob const * canon_data = orig_data;
+const blob * canon_data = orig_data;
 size_t left;
 
 /* Defaults to simple canon (no further treatment necessary) */
@@ -771,9 +771,9 @@ if (b->canon_method == PDKIM_CANON_RELAXED)
 /* Make sure we don't exceed the to-be-signed body length */
 left = canon_data->len;
 if (  b->bodylength >= 0
-   && b->signed_body_bytes + left > b->bodylength
+   && left > (unsigned long)b->bodylength - b->signed_body_bytes
    )
-  left = b->bodylength - b->signed_body_bytes;
+  left = (unsigned long)b->bodylength - b->signed_body_bytes;
 
 if (left > 0)
   {