Taint: fix off-by-one in is_tainted(). Bug 2634

(cherry picked from commit e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2d2dc1f9f25bea2d4311b0004a2f09af66de2932..6d944f204dfea583726c2c63d9b08cdfcc5c1431 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,11 @@ JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
       Previously when a whitespace character was specified it was not inserted
       after removing the newline.
 
+JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
+      is_tainted() had an off-by-one error in the overenthusiastic direction.
+      Find and fix by Gavan.  Although NetBSD is not a supported platform for
+      4.94 this bug could affect other platforms.
+
 
 Exim version 4.94
 -----------------

diff --git a/src/src/store.c b/src/src/store.c
index c460ba383794ca93f2f1375adcde99471586cecc..7d08c9804fb350a1a8780c5cb07aa8f412334734 100644 (file)
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -188,14 +188,14 @@ for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
   if ((b = current_block[pool]))
     {
     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
-    if (US p >= bc && US p <= bc + b->length) return TRUE;
+    if (US p >= bc && US p < bc + b->length) return TRUE;
     }
 
 for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
   for (b = chainbase[pool]; b; b = b->next)
     {
     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
-    if (US p >= bc && US p <= bc + b->length) return TRUE;
+    if (US p >= bc && US p < bc + b->length) return TRUE;
     }
 return FALSE;
 }