git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix CVE-2016-1531
[exim.git]
/
src
/
src
/
exim_dbmbuild.c
diff --git
a/src/src/exim_dbmbuild.c
b/src/src/exim_dbmbuild.c
index f4e47387a89d4471ba74d0dc82bdd4aaa6a5f4a0..7babc643e14d721f7ff2c62cf0ec30bc014a0fa1 100644
(file)
--- a/
src/src/exim_dbmbuild.c
+++ b/
src/src/exim_dbmbuild.c
@@
-1,10
+1,8
@@
-/* $Cambridge: exim/src/src/exim_dbmbuild.c,v 1.5 2005/08/30 09:19:33 ph10 Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 20
0
5 */
+/* Copyright (c) University of Cambridge 1995 - 20
1
5 */
/* See the file NOTICE for conditions of use and distribution. */
/* See the file NOTICE for conditions of use and distribution. */
@@
-39,7
+37,7
@@
characters. */
/* This is global because it's defined in the headers and compilers grumble
if it is made static. */
/* This is global because it's defined in the headers and compilers grumble
if it is made static. */
-
uschar *hex_digits =
US"0123456789abcdef";
+
const uschar *hex_digits = C
US"0123456789abcdef";
#ifdef STRERROR_FROM_ERRLIST
#ifdef STRERROR_FROM_ERRLIST
@@
-90,10
+88,10
@@
Returns: the value of the character escape
*/
int
*/
int
-string_interpret_escape(uschar **pp)
+string_interpret_escape(
const
uschar **pp)
{
int ch;
{
int ch;
-uschar *p = *pp;
+
const
uschar *p = *pp;
ch = *(++p);
if (isdigit(ch) && ch != '8' && ch != '9')
{
ch = *(++p);
if (isdigit(ch) && ch != '8' && ch != '9')
{
@@
-151,8
+149,8
@@
EXIM_DB *d;
EXIM_DATUM key, content;
uschar *bptr;
uschar keybuffer[256];
EXIM_DATUM key, content;
uschar *bptr;
uschar keybuffer[256];
-uschar temp_dbmname[
256
];
-uschar real_dbmname[
256
];
+uschar temp_dbmname[
512
];
+uschar real_dbmname[
512
];
uschar *buffer = malloc(max_outsize);
uschar *line = malloc(max_insize);
uschar *buffer = malloc(max_outsize);
uschar *line = malloc(max_insize);
@@
-195,6
+193,15
@@
if (Ustrcmp(argv[arg], argv[arg+1]) == 0)
}
#endif
}
#endif
+/* Check length of filename; allow for adding .dbmbuild_temp and .db or
+.dir/.pag later. */
+
+if (strlen(argv[arg+1]) > sizeof(temp_dbmname) - 20)
+ {
+ printf("exim_dbmbuild: output filename is ridiculously long\n");
+ exit(1);
+ }
+
Ustrcpy(temp_dbmname, argv[arg+1]);
Ustrcat(temp_dbmname, ".dbmbuild_temp");
Ustrcpy(temp_dbmname, argv[arg+1]);
Ustrcat(temp_dbmname, ".dbmbuild_temp");
@@
-322,7
+329,7
@@
while (Ufgets(line, max_insize, f) != NULL)
keystart = t;
while (*s != 0 && *s != '\"')
{
keystart = t;
while (*s != 0 && *s != '\"')
{
- if (*s == '\\') *t++ = string_interpret_escape(&s);
+ if (*s == '\\') *t++ = string_interpret_escape(
(const uschar **)
&s);
else *t++ = *s;
s++;
}
else *t++ = *s;
s++;
}