git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Taint: check on supplied buffer vs. list when extracting elements
[exim.git]
/
src
/
src
/
string.c
diff --git
a/src/src/string.c
b/src/src/string.c
index 4ef2fee622f0d8424e8ff4ff662bd80a5a411c57..80cf49fdf1b297d14f0d25d43708b98c92e20660 100644
(file)
--- a/
src/src/string.c
+++ b/
src/src/string.c
@@
-863,7
+863,8
@@
Returns: pointer to buffer, containing the next substring,
*/
uschar *
*/
uschar *
-string_nextinlist(const uschar **listptr, int *separator, uschar *buffer, int buflen)
+string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen,
+ const uschar * func, int line)
{
int sep = *separator;
const uschar *s = *listptr;
{
int sep = *separator;
const uschar *s = *listptr;
@@
-906,6
+907,8
@@
sep_is_special = iscntrl(sep);
if (buffer)
{
int p = 0;
if (buffer)
{
int p = 0;
+ if (is_tainted(s) && !is_tainted(buffer))
+ die_tainted(US"string_nextinlist", func, line);
for (; *s; s++)
{
if (*s == sep && (*(++s) != sep || sep_is_special)) break;
for (; *s; s++)
{
if (*s == sep && (*(++s) != sep || sep_is_special)) break;
@@
-1638,7
+1641,7
@@
doesn't seem much we can do about that. */
va_start(ap, format);
(void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
va_start(ap, format);
(void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
-
0
, format, ap);
+
SVFMT_REBUFFER
, format, ap);
string_from_gstring(g);
gstring_release_unused(g);
va_end(ap);
string_from_gstring(g);
gstring_release_unused(g);
va_end(ap);