X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/8c5d388a6e12d1a8bd4aa565920238f8a921414a..490f424e8cc098f0330d140d1db8c92c8723866c:/src/src/spool_in.c

diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 59192ef30..085437212 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Functions for reading spool files. When compiling for a utility (eximon),
@@ -473,11 +473,13 @@ for (;;)
       int index, count;
       uschar name[20];   /* Need plenty of space for %d format */
       tree_node *node;
-      if (sscanf(CS big_buffer + 5, "%d %d", &index, &count) != 2)
+      if (  sscanf(CS big_buffer + 5, "%d %d", &index, &count) != 2
+	 || index >= 20
+         )
         goto SPOOL_FORMAT_ERROR;
       if (index < 10)
         (void) string_format(name, sizeof(name), "%c%d", 'c', index);
-      else if (index < 20) /* ignore out-of-range index */
+      else
         (void) string_format(name, sizeof(name), "%c%d", 'm', index - 10);
       node = acl_var_create(name);
       node->data.ptr = store_get(count + 1);
@@ -511,7 +513,8 @@ for (;;)
     if (Ustrncmp(p, "rozen", 5) == 0)
       {
       deliver_freeze = TRUE;
-      sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at);
+      if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
+	goto SPOOL_READ_ERROR;
       }
     break;