Buffer overrun fix. fixes: bug #787

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 52279d332a0377664c8814d9b4d4fb300f6c20dd..09b9031ccb351e37fa67e5c4b132a71f640d0d1f 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.556 2008/10/16 07:57:01 nm4 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.557 2008/12/12 14:36:37 nm4 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -77,6 +77,9 @@ NM/07 Bugzilla 769: Extraneous comma in usage fprintf
 NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be
       acl_smtp_notquit
 
+NM/09 Bugzilla 787: Potential buffer overflow in string_format
+      Patch provided by Eugene Bujak
+
 
 Exim version 4.69
 -----------------

diff --git a/src/src/string.c b/src/src/string.c
index 20bd1d1f30199660eff520951116de5386ca219c..83455294dc824b5ce5e4734725c513110ce66174 100644 (file)
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/string.c,v 1.13 2007/02/26 14:07:04 ph10 Exp $ */
+/* $Cambridge: exim/src/src/string.c,v 1.14 2008/12/12 14:36:37 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -1267,10 +1267,17 @@ while (*fp != 0)
     not OK, add part of the string (debugging uses this to show as
     much as possible). */
 
+    if (p == last)
+      {
+      yield = FALSE;
+      goto END_FORMAT;
+      }
     if (p >= last - width)
       {
       yield = FALSE;
       width = precision = last - p - 1;
+      if (width < 0) width = 0;
+      if (precision < 0) precision = 0;
       }
     sprintf(CS p, "%*.*s", width, precision, s);
     if (fp[-1] == 'S')