copy transport struct for modifying for **bypassed** postprocess

[exim.git] / src / src / string.c

diff --git a/src/src/string.c b/src/src/string.c
index 53ff0a8343bf240f2e19980994e02d02e26d5bb1..64d14439e6bab3c2378e8bf594c40a2423d6348c 100644 (file)
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -575,7 +575,7 @@ uschar *
 string_copy_dnsdomain(uschar *s)
 {
 uschar *yield;
-uschar *ss = yield = store_get(Ustrlen(s) + 1, is_tainted(s));
+uschar *ss = yield = store_get(Ustrlen(s) + 1, TRUE);  /* always treat as tainted */
 
 while (*s != 0)
   {
@@ -858,6 +858,9 @@ Arguments:
   separator  a pointer to the separator character in an int (see above)
   buffer     where to put a copy of the next string in the list; or
                NULL if the next string is returned in new memory
+            Note that if the list is tainted then a provided buffer must be
+            also (else we trap, with a message referencing the callsite).
+            If we do the allocation, taint is handled there.
   buflen     when buffer is not NULL, the size of buffer; otherwise ignored
 
 Returns:     pointer to buffer, containing the next substring,
@@ -949,12 +952,15 @@ else
     s = ss;
     if (!*s || *++s != sep || sep_is_special) break;
     }
+
+  /* Trim trailing spaces from the returned string */
+
   /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
   while (  g->ptr > 0 && isspace(g->s[g->ptr-1])
        && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
     g->ptr--;
   buffer = string_from_gstring(g);
-  gstring_release_unused(g);
+  gstring_release_unused_trc(g, CCS func, line);
   }
 
 /* Update the current pointer and return the new string */
@@ -1088,7 +1094,16 @@ existing length of the string. */
 
 unsigned inc = oldsize < 4096 ? 127 : 1023;
 
+if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
+
 if (count <= 0) return;
+
+if (count >= INT_MAX/2 - g->ptr)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
+
 g->size = (p + count + inc + 1) & ~inc;                /* one for a NUL */
 
 /* Try to extend an existing allocation. If the result of calling
@@ -1137,17 +1152,25 @@ string_catn(gstring * g, const uschar *s, int count)
 int p;
 BOOL srctaint = is_tainted(s);
 
+if (count < 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in string_catn (count %d)", count);
+
 if (!g)
   {
   unsigned inc = count < 4096 ? 127 : 1023;
-  unsigned size = ((count + inc) &  ~inc) + 1;
+  unsigned size = ((count + inc) &  ~inc) + 1; /* round up requested count */
   g = string_get_tainted(size, srctaint);
   }
 else if (srctaint && !is_tainted(g->s))
   gstring_rebuffer(g);
 
+if (g->ptr < 0 || g->ptr > g->size)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
+
 p = g->ptr;
-if (p + count >= g->size)
+if (count >= g->size - p)
   gstring_grow(g, count);
 
 /* Because we always specify the exact number of characters to copy, we can
@@ -1689,6 +1712,7 @@ int main(void)
 uschar buffer[256];
 
 printf("Testing is_ip_address\n");
+store_init();
 
 while (fgets(CS buffer, sizeof(buffer), stdin) != NULL)
   {