Taint: fix listcount expansion operator. Bug 2586

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 93bd62cc47e3433bddc20c0019b2f992c7239450..240dc7538ea6f32d115adddfea82d7d8268ee21f 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -11,10 +11,14 @@ JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail-
       says that "M" should be, so change to match.
 
 JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used
       says that "M" should be, so change to match.
 
 JH/02 Bug 2587: Fix pam expansion condition.  Tainted values are commonly used

-      as arguments, so an implementation trying to copy these into local
+      as arguments, so an implementation trying to copy these into a local

       buffer was taking a taint-enformance trap.  Fix by using dynamically
       created buffers.
 
       buffer was taking a taint-enformance trap.  Fix by using dynamically
       created buffers.
 

+JH/03 Bug 2586: Fix listcount expansion operator.  Using tainted arguments is
+      reasonable, eg. to count headers.  Fix by using dynamically created
+      buffers rather than a local,
+

 
 Exim version 4.94
 -----------------
 
 Exim version 4.94
 -----------------

diff --git a/src/src/expand.c b/src/src/expand.c
index b014533c928d3df9c687dd593190f7702b39f336..b01512425e48eeb9d79a2b9a72e0b9c108a1acde 100644 (file)
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -7208,9 +7208,8 @@ while (*s != 0)
         {
        int cnt = 0;
        int sep = 0;
         {
        int cnt = 0;
        int sep = 0;

-       uschar buffer[256];

 
 

-       while (string_nextinlist(CUSS &sub, &sep, buffer, sizeof(buffer))) cnt++;
+       while (string_nextinlist(CUSS &sub, &sep, NULL, 0)) cnt++;

        yield = string_fmt_append(yield, "%d", cnt);
         continue;
         }
        yield = string_fmt_append(yield, "%d", cnt);
         continue;
         }