X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/f3ebb786e451da973560f1c9d8cdb151d25108b5..4191cb150300d310ab5fa22ce2cfb02b6f6051b0:/src/src/bmi_spam.c

diff --git a/src/src/bmi_spam.c b/src/src/bmi_spam.c
index 6651de5ad..334022b00 100644
--- a/src/src/bmi_spam.c
+++ b/src/src/bmi_spam.c
@@ -193,16 +193,16 @@ uschar *bmi_process_message(header_line *header_list, int data_fd) {
   /* Get store for the verdict string.  Since we are processing message data, assume that
   the verdict is tainted.  XXX this should use a growable-string  */
 
-  verdicts = store_get(1, TRUE);
+  verdicts = store_get(1, GET_TAINTED);
   *verdicts = '\0';
 
   for ( err = bmiAccessFirstVerdict(message, &verdict);
-        verdict != NULL;
+        verdict;
         err = bmiAccessNextVerdict(message, verdict, &verdict) ) {
     char *verdict_str;
 
     err = bmiCreateStrFromVerdict(verdict,&verdict_str);
-    if (!store_extend(verdicts, TRUE,
+    if (!store_extend(verdicts,
 	  Ustrlen(verdicts)+1, Ustrlen(verdicts)+1+strlen(verdict_str)+1)) {
       /* can't allocate more store */
       return NULL;
@@ -302,7 +302,7 @@ uschar *bmi_get_alt_location(uschar *base64_verdict) {
   }
   else {
     /* deliver to alternate location */
-    rc = store_get(strlen(bmiVerdictAccessDestination(verdict))+1, TRUE);
+    rc = store_get(strlen(bmiVerdictAccessDestination(verdict))+1, GET_TAINTED);
     Ustrcpy(rc, bmiVerdictAccessDestination(verdict));
     rc[strlen(bmiVerdictAccessDestination(verdict))] = '\0';
   };
@@ -327,7 +327,7 @@ uschar *bmi_get_base64_verdict(uschar *bmi_local_part, uschar *bmi_domain) {
     return NULL;
 
   /* allocate room for the b64 verdict string */
-  verdict_buffer = store_get(Ustrlen(bmi_verdicts)+1, TRUE);
+  verdict_buffer = store_get(Ustrlen(bmi_verdicts)+1, GET_TAINTED);
 
   /* loop through verdicts */
   verdict_ptr = bmi_verdicts;
@@ -448,9 +448,11 @@ int bmi_check_rule(uschar *base64_verdict, uschar *option_list) {
   }
 
   /* loop through numbers */
+  /* option_list doesn't seem to be expanded so cannot be tainted.  If it ever is we
+  will trap here */
   rule_ptr = option_list;
   while ((rule_num = string_nextinlist(&rule_ptr, &sep,
-                                       rule_buffer, 32)) != NULL) {
+                                       rule_buffer, sizeof(rule_buffer)))) {
     int rule_int = -1;
 
     /* try to translate to int */