From: Qualys Security Advisory Date: Mon, 22 Feb 2021 03:22:33 +0000 (-0800) Subject: CVE-2020-28011: Heap buffer overflow in queue_run() X-Git-Tag: exim-4.95-RC0~51^2~20 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/a06ffc5a1b1a49e0e8cd6522ce5a005948333458 CVE-2020-28011: Heap buffer overflow in queue_run() (cherry picked from commit 6e1fb878e95f8e6f838ffde5258c7a969c981865) (cherry picked from commit 08102cbe8102f99b31655aa0e926c45b427efe6d) --- diff --git a/src/src/queue.c b/src/src/queue.c index 4c93c1d7f..567784575 100644 --- a/src/src/queue.c +++ b/src/src/queue.c @@ -396,12 +396,18 @@ if (!recurse) p += sprintf(CS p, " -q%s", extras); if (deliver_selectstring) - p += sprintf(CS p, " -R%s %s", f.deliver_selectstring_regex? "r" : "", - deliver_selectstring); + { + snprintf(CS p, big_buffer_size - (p - big_buffer), " -R%s %s", + f.deliver_selectstring_regex? "r" : "", deliver_selectstring); + p += Ustrlen(CCS p); + } if (deliver_selectstring_sender) - p += sprintf(CS p, " -S%s %s", f.deliver_selectstring_sender_regex? "r" : "", - deliver_selectstring_sender); + { + snprintf(CS p, big_buffer_size - (p - big_buffer), " -S%s %s", + f.deliver_selectstring_sender_regex? "r" : "", deliver_selectstring_sender); + p += Ustrlen(CCS p); + } log_detail = string_copy(big_buffer); if (*queue_name)