From dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7 Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Mon, 29 Mar 2021 22:16:28 +0200
Subject: [PATCH] CVE-2020-28010: Heap out-of-bounds write in main()

Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me.

(cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c)
---
 src/src/exim.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/src/exim.c b/src/src/exim.c
index f7a45ff09..975b39a58 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3839,7 +3839,6 @@ during readconf_main() some expansion takes place already. */
 
 /* Store the initial cwd before we change directories.  Can be NULL if the
 dir has already been unlinked. */
-errno = 0;
 initial_cwd = os_getcwd(NULL, 0);
 if (!initial_cwd && errno)
   exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
@@ -4133,11 +4132,9 @@ if (  (debug_selector & D_any  ||  LOGGING(arguments))
     p += 13;
   else
     {
-    Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
-    p += 4 + Ustrlen(initial_cwd);
-    /* in case p is near the end and we don't provide enough space for
-     * string_format to be willing to write. */
-    *p = '\0';
+    p += 4;
+    snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
+    p += Ustrlen(CCS p);
     }
 
   (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
-- 
2.30.2