Fix free of $value after ${run...}

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d7c45a79b67a7f5965ed95db97b3f55e45af434..ecb4aadec59cef9eee4f84c60b2778a4a1727f32 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -170,6 +170,9 @@ JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints.
 JH/32 Fix "tls_dhparam = none" under GnuTLS.  At least with 3.7.9 this gave
       a null-indirection SIGSEGV for the receive process.
 
+JH/33 Fix free for live variable $value created by a ${run ...} expansion.
+      Although not seen, this could have resulted in a SIGSEGV.
+
 
 Exim version 4.96
 -----------------

diff --git a/src/src/expand.c b/src/src/expand.c
index ae16575492585c8ab3d8ae9a57c61fd023e7c544..e0c571ade62cf194490a739e3e25eb5389bbb4ce 100644 (file)
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -5624,6 +5624,8 @@ while (*s)
       FILE * f;
       const uschar * arg, ** argv;
       BOOL late_expand = TRUE;
+      uschar * save_value = lookup_value;
+      int yesno;
 
       if (expand_forbid & RDO_RUN)
         {
@@ -5747,20 +5749,24 @@ while (*s)
             expand_string_message = string_sprintf("command killed by signal %d",
               -runrc);
 
+         lookup_value = save_value;
           goto EXPAND_FAILED;
           }
         }
 
       /* Process the yes/no strings; $value may be useful in both cases */
 
-      switch(process_yesno(
+      yesno = process_yesno(
                flags,                  /* were previously skipping */
                runrc == 0,             /* success/failure indicator */
                lookup_value,           /* value to reset for string2 */
                &s,                     /* input pointer */
                &yield,                 /* output pointer */
                US"run",                        /* condition type */
-              &resetok))
+              &resetok);
+      lookup_value = save_value;
+
+      switch(yesno)
         {
         case 1: goto EXPAND_FAILED;          /* when all is well, the */
         case 2: goto EXPAND_FAILED_CURLY;    /* returned value is 0 */

diff --git a/test/log/0635 b/test/log/0635
new file mode 100644 (file)
index 0000000..a8ccbcf
--- /dev/null
+++ b/test/log/0635
@@ -0,0 +1,7 @@
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 $recipients: "CALLER@the.local.host.name"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 run-wrapped $recipients: "\n"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= someone@some.domain U=CALLER P=local-smtp S=sss
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 => CALLER <CALLER@the.local.host.name> R=localuser T=local_delivery
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed
+1999-03-02 09:44:33 Start queue run: pid=p1234
+1999-03-02 09:44:33 End queue run: pid=p1234

diff --git a/test/mail/0635.CALLER b/test/mail/0635.CALLER
new file mode 100644 (file)
index 0000000..25b61aa
--- /dev/null
+++ b/test/mail/0635.CALLER
@@ -0,0 +1,13 @@
+From someone@some.domain Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test)
+       by the.local.host.name with local-smtp (Exim x.yz)
+       (envelope-from <someone@some.domain>)
+       id 10HmaX-000000005vi-0000
+       for CALLER@the.local.host.name;
+       Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-000000005vi-0000@the.local.host.name>
+From: someone@some.domain
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+This is a test message.
+