CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()

[exim.git] / src / src / parse.c

diff --git a/src/src/parse.c b/src/src/parse.c
index 3f1ba222f170a4c56ad4738403ac4e12a49e2ae9..086b010c3f2675f0ae7c5ffdefe0c577e45df857 100644 (file)
--- a/src/src/parse.c
+++ b/src/src/parse.c
@@ -979,12 +979,12 @@ if (i < len)
 
 /* No non-printers; use the RFC 822 quoting rules */
 
-if (!len)
+if (len <= 0 || len >= INT_MAX/4)
   {
-  return string_copy_taint(US"", is_tainted(phrase));
+  return string_copy_taint(CUS"", is_tainted(phrase));
   }
 
-buffer = store_get(len*4, is_tainted(phrase));
+buffer = store_get((len+1)*4, is_tainted(phrase));
 
 s = phrase;
 end = s + len;
@@ -1129,12 +1129,7 @@ while (s < end)
             {
             if (ss >= end) ss--;
             *t++ = '(';
-            if (ss < s)
-              {
-              /* Someone has ended the string with "<punct>(". */
-              ss = s;
-              }
-            else
+            if (ss > s)
               {
               Ustrncpy(t, s, ss-s);
               t += ss-s;