From: Qualys Security Advisory <qsa@qualys.com>
Date: Mon, 22 Feb 2021 05:49:30 +0000 (-0800)
Subject: CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
X-Git-Tag: exim-4.95-RC0~51^2~12
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/cf8734c3fd0823053ae3605beb8681d0957cf4a6

CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

(cherry picked from commit 998e5a9db121c3eff15cac16859bdffd7adcbe57)
(cherry picked from commit 638f7ca75694bcbb70cfbe7db2ef52af4aca5c83)
---

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 9efe7baa9..647c231c7 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -831,6 +831,9 @@ Returns:       the character
 int
 smtp_ungetc(int ch)
 {
+if (smtp_inptr <= smtp_inbuffer)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
+
 *--smtp_inptr = ch;
 return ch;
 }
diff --git a/src/src/tls.c b/src/src/tls.c
index ddee95de2..e073eadbe 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -457,6 +457,9 @@ Returns:       the character
 int
 tls_ungetc(int ch)
 {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
 return ch;
 }