Caused crash in free() by corrupting malloc metadata.
Reported-by: University of Cambridge
Broken-by: 80a47a2c96
was marked defer_ok. Fix to keep the two timeout-detection methods
separate.
+JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
+ metadata, resulting in a crash in free().
+
Exim version 4.90
-----------------
if (!relaxed_data)
{
BOOL seen_wsp = FALSE;
- const uschar * p;
+ const uschar * p, * r;
int q = 0;
/* We want to be able to free this else we allocate
relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
relaxed_data->data = US (relaxed_data+1);
- for (p = orig_data->data; *p; p++)
+ for (p = orig_data->data, r = p + orig_data->len; p < r; p++)
{
char c = *p;
if (c == '\r')
/* -------------------------------------------------------------------------- */
/* Call from pdkim_feed below for processing complete body lines */
+/* NOTE: the line is not NUL-terminated; but we have a count */
static void
pdkim_bodyline_complete(pdkim_ctx * ctx)