X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/ab1604ea9202d3dbc0fd7fd230dc693d83d3092c..ba74fb8d95d2e9af2122e0a95c4d5334b4f0466c:/src/src/string.c

diff --git a/src/src/string.c b/src/src/string.c
index 4ef2fee62..80cf49fdf 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -863,7 +863,8 @@ Returns:     pointer to buffer, containing the next substring,
 */
 
 uschar *
-string_nextinlist(const uschar **listptr, int *separator, uschar *buffer, int buflen)
+string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen,
+ const uschar * func, int line)
 {
 int sep = *separator;
 const uschar *s = *listptr;
@@ -906,6 +907,8 @@ sep_is_special = iscntrl(sep);
 if (buffer)
   {
   int p = 0;
+  if (is_tainted(s) && !is_tainted(buffer))
+    die_tainted(US"string_nextinlist", func, line);
   for (; *s; s++)
     {
     if (*s == sep && (*(++s) != sep || sep_is_special)) break;
@@ -1638,7 +1641,7 @@ doesn't seem much we can do about that. */
 
 va_start(ap, format);
 (void) string_vformat_trc(g, func, line, STRING_SPRINTF_BUFFER_SIZE,
-	0, format, ap);
+	SVFMT_REBUFFER, format, ap);
 string_from_gstring(g);
 gstring_release_unused(g);
 va_end(ap);