Try to replace every direct calls to malloc() with store_malloc() (ᴄᴡᴇ‑192)+other fixes.

doc/doc-docbook/spec.xfpt

@@ -32489,15 +32489,15 @@ match the specification, the function does nothing.
 
 
 .vitem "&*BOOL&~header_testname(header_line&~*hdr,&~uschar&~*name,&~&&&
-        int&~length,&~BOOL&~notdel)*&"
+        size_t&~length,&~BOOL&~notdel)*&"
 This function tests whether the given header has the given name. It is not just
 a string comparison, because white space is permitted between the name and the
 colon. If the &%notdel%& argument is true, a false return is forced for all
 &"deleted"& headers; otherwise they are not treated specially. For example:
 .code
 if (header_testname(h, US"X-Spam", 6, TRUE)) ...
 .endd
-.vitem &*uschar&~*lss_b64encode(uschar&~*cleartext,&~int&~length)*&
+.vitem &*uschar&~*lss_b64encode(uschar&~*cleartext,&~size_t&~length)*&
 .cindex "base64 encoding" "functions for &[local_scan()]& use"
 This function base64-encodes a string, which is passed by address and length.
 The text may contain bytes of any value, including zero. The result is passed
@@ -32587,7 +32587,7 @@ address.
 .cindex "RFC 2047"
 .vlist
 .vitem "&*uschar&~rfc2047_decode(uschar&~*string,&~BOOL&~lencheck,&&&
-  &~uschar&~*target,&~int&~zeroval,&~int&~*lenptr, &~&~uschar&~**error)*&"
+  &~uschar&~*target,&~int&~zeroval,&~size_t&~*lenptr, &~&~uschar&~**error)*&"
 This function decodes strings that are encoded according to RFC 2047. Typically
 these are the contents of header lines. First, each &"encoded word"& is decoded
 from the Q or B encoding into a byte-string. Then, if provided with the name of

doc/doc-txt/ChangeLog

@@ -40,6 +40,27 @@ JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
 JH/10 Support ${sha256:} applied to a string (as well as the previous
       certificate).
 
+LC/01 Prefer the use of size_t for variables representing sizes. Even if most
+      strings in Exim are limited to 2¹⁵, This acts as a suplemental protection
+      against overflows.
+      Especially for 16 bits x86 where INT_MAX is already 2¹⁵ and pointers used
+      in Unix programs are FAR (20 bits wide).
+      In the meantime, this doesn’t impact any cases where negative length could
+      have been used, as an error value.
+
+LC/02 Some values representing maximum path size were hard coded.
+      They are now replaced with the PATH_MAX macro.
+
+LC/03 As everybody knows, malloc() can fails by returning 0. The return values
+      weren’t checked everywhere.
+      Try to always replace direct calls to malloc() with store_malloc() from the
+      project standard memory management facilities even it was handled in way
+      that let the daemon running.
+      In a few case, this isn’t possible : either because store_malloc() isn’t
+      available or can’t be called or because other ressources need to freed
+      before terminating the program. In that case, still use direct calls to
+      malloc().
+
 
 Exim version 4.87
 -----------------

src/OS/Makefile-Base

@@ -408,9 +408,9 @@ exim_tidydb: $(OBJ_TIDYDB)
 
 # The utility for building dbm files
 
-exim_dbmbuild: exim_dbmbuild.o
+exim_dbmbuild: util-store.o exim_dbmbuild.o
 	@echo "$(LNCC) -o exim_dbmbuild"
-	$(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dbmbuild $(LFLAGS) exim_dbmbuild.o \
+	$(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_dbmbuild $(LFLAGS) exim_dbmbuild.o util-store.o \
 	  $(LIBS) $(EXTRALIBS) $(DBMLIB)
 	@if [ x"$(STRIP_COMMAND)" != x"" ]; then \
 	  echo $(STRIP_COMMAND) exim_dbmbuild; \
@@ -421,11 +421,11 @@ exim_dbmbuild: exim_dbmbuild.o
 
 # The utility for locking a mailbox while messing around with it
 
-exim_lock: exim_lock.c os.h
+exim_lock: util-store.o exim_lock.c os.h
 	@echo "$(CC) exim_lock.c"
 	$(FE)$(CC) -c $(CFLAGS) $(INCLUDE) exim_lock.c
 	@echo "$(LNCC) -o exim_lock"
-	$(FE)$(LNCC) -o exim_lock $(LFLAGS) exim_lock.o  \
+	$(FE)$(LNCC) -o exim_lock $(LFLAGS) exim_lock.o util-store.o  \
 	  $(LIBS) $(EXTRALIBS)
 	@if [ x"$(STRIP_COMMAND)" != x"" ]; then \
 	  echo $(STRIP_COMMAND) exim_lock; \

src/exim_monitor/em_TextPop.c

@@ -468,7 +468,7 @@ struct SearchAndReplace * search;
   text.firstPos = 0;
   text.format = FMT8BIT;
 
-  dir = (XawTextScanDirection)(int) ((caddr_t)XawToggleGetCurrent(search->left_toggle) -
+  dir = (XawTextScanDirection)(size_t) ((caddr_t)XawToggleGetCurrent(search->left_toggle) -
 				R_OFFSET);
 
   pos = XawTextSearch( tw, dir, &text);

src/exim_monitor/em_globals.c

@@ -59,7 +59,7 @@ BOOL    log_datestamping = FALSE;
 int     log_depth = 150;
 uschar *log_display_buffer;
 uschar *log_file = NULL;
-uschar  log_file_open[256];
+uschar  log_file_open[PATH_MAX];
 uschar *log_font = NULL;
 ino_t   log_inode;
 long int log_position;

src/exim_monitor/em_hdr.h

@@ -31,6 +31,7 @@ purposes! */
 /* ANSI C includes */
 
 #include <ctype.h>
+#include <limits.h>
 #include <setjmp.h>
 #include <signal.h>
 #include <stdarg.h>
@@ -186,7 +187,7 @@ typedef struct queue_item {
   struct dest_item  *destinations;
   int  input_time;
   int  update_time;
-  int  size;
+  size_t  size;
   uschar *sender;
   uschar name[17];
   uschar seen;
@@ -253,7 +254,7 @@ extern BOOL    log_datestamping;    /* TRUE if logs are datestamped */
 extern int     log_depth;           /* depth of log tail window */
 extern uschar *log_display_buffer;  /* to hold display text */
 extern uschar *log_file;            /* supplied name of exim log file */
-extern uschar  log_file_open[256];  /* actual open file */
+extern uschar  log_file_open[PATH_MAX]; /* actual open file */
 extern uschar *log_font;            /* font for log display */
 extern ino_t   log_inode;           /* the inode of the log file */
 extern long int log_position;      /* position in log file */

src/exim_monitor/em_log.c

@@ -367,7 +367,7 @@ link count of zero on the currently open file. */
 
 if (log_datestamping)
   {
-  uschar log_file_wanted[256];
+  uschar log_file_wanted[PATH_MAX];
   /* Do *not* use "%s" here, we need the %D datestamp in the log_file to
    *   be expanded! */
   string_format(log_file_wanted, sizeof(log_file_wanted), CS log_file);

src/exim_monitor/em_queue.c

@@ -762,7 +762,7 @@ while (p != NULL)
 
     for (skp = &queue_skip; ; skp = &(sk->next))
       {
-      int len_skip;
+      size_t len_skip;
 
       sk = *skp;
       while (sk != NULL && now >= sk->reveal)

src/exim_monitor/em_strip.c

@@ -63,7 +63,7 @@ static void stripchartAction(Widget w, XtPointer client_data, XtPointer value)
 double *ptr = (double *)value;
 static int thresholds[] =
   {10, 20, 50, 100, 200, 500, 1000, 2000, 5000, 10000, 0};
-int num = (int)client_data;
+size_t num = (size_t)client_data;
 int oldmax = 0;
 int newmax = 0;
 int newvalue = 0;

src/exim_monitor/em_version.c

@@ -7,6 +7,7 @@
 
 #include "mytypes.h"
 #include "macros.h"
+#include "store.h"
 #include <string.h>
 #include <stdlib.h>
 
@@ -25,7 +26,7 @@ Ustrcpy(today, __DATE__);
 if (today[4] == ' ') i = 1;
 today[3] = today[6] = '-';
 
-version_date = (uschar *)malloc(32);
+version_date = (uschar *)store_malloc(32);
 version_date[0] = 0;
 Ustrncat(version_date, today+4+i, 3-i);
 Ustrncat(version_date, today, 4);

src/exim_monitor/em_xs.c

@@ -30,7 +30,7 @@ void xs_SetValues(Widget w, Cardinal num_args, ...)
 {
 int i;
 va_list ap;
-Arg *aa = (num_args > 15)? (Arg *)malloc(num_args*sizeof(Arg)) : xs_temparg;
+Arg *aa = (num_args > 15)? (Arg *)store_malloc(num_args*sizeof(Arg)) : xs_temparg;
 va_start(ap, num_args);
 for (i = 0; i < num_args; i++)
   {
@@ -39,7 +39,7 @@ for (i = 0; i < num_args; i++)
   }
 va_end(ap);
 XtSetValues(w, aa, num_args);
-if (num_args > 15) free(aa);
+if (num_args > 15) store_free(aa);
 }
 
 /* End of em_xs.c */

src/src/acl.c

@@ -1060,7 +1060,7 @@ static void
 setup_header(const uschar *hstring)
 {
 const uschar *p, *q;
-int hlen = Ustrlen(hstring);
+size_t hlen = Ustrlen(hstring);
 
 /* Ignore any leading newlines */
 while (*hstring == '\n') hstring++, hlen--;
@@ -1171,8 +1171,8 @@ uschar *
 fn_hdrs_added(void)
 {
 uschar * ret = NULL;
-int size = 0;
-int ptr = 0;
+size_t size = 0;
+size_t ptr = 0;
 header_line * h = acl_added_headers;
 uschar * s;
 uschar * cp;
@@ -1271,7 +1271,7 @@ if (log_message != NULL && log_message != user_message)
 
   if (logged == NULL)
     {
-    int length = Ustrlen(text) + 1;
+    size_t length = Ustrlen(text) + 1;
     log_write(0, LOG_MAIN, "%s", text);
     logged = store_malloc(sizeof(string_item) + length);
     logged->text = (uschar *)logged + sizeof(string_item);
@@ -1663,7 +1663,7 @@ typedef struct {
   int	   value;
   unsigned where_allowed;	/* bitmap */
   BOOL	   no_options;		/* Never has /option(s) following */
-  unsigned alt_opt_sep;		/* >0 Non-/ option separator (custom parser) */
+  size_t alt_opt_sep;		/* >0 Non-/ option separator (custom parser) */
   } verify_type_t;
 static verify_type_t verify_type_list[] = {
     { US"reverse_host_lookup",	VERIFY_REV_HOST_LKUP,	~0,	FALSE, 0 },
@@ -2352,7 +2352,7 @@ int mode = RATE_PER_WHAT;
 int old_pool, rc;
 tree_node **anchor, *t;
 open_db dbblock, *dbm;
-int dbdb_size;
+size_t dbdb_size;
 dbdata_ratelimit *dbd;
 dbdata_ratelimit_unique *dbdb;
 struct timeval tv;

src/src/auths/auth-spa.c

@@ -159,6 +159,7 @@ extern int DEBUGLEVEL;
 
 #include <sys/types.h>     /* For size_t */
 #include "auth-spa.h"
+#include "../store.h"
 #include <assert.h>
 #include <ctype.h>
 #include <stdio.h>
@@ -1401,7 +1402,7 @@ spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
   SIVAL (&request->flags, 0, 0x0000b207);      /* have to figure out what these mean */
   spa_string_add (request, user, u);
   spa_string_add (request, domain, domain);
-  free (u);
+  store_free (u);
 }
 
 
@@ -1483,8 +1484,8 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
 
   response->flags = challenge->flags;
 
-  free (d);
-  free (u);
+  store_free (d);
+  store_free (u);
 }
 #endif
 
@@ -1537,6 +1538,6 @@ spa_build_auth_response (SPAAuthChallenge * challenge,
   spa_string_add (response, sessionKey, NULL);
   response->flags = challenge->flags;
 
-  if (d != NULL) free (d);
-  free (u);
+  if (d != NULL) store_free (d);
+  store_free (u);
 }

src/src/auths/call_pam.c

@@ -100,7 +100,7 @@ for (i = 0; i < num_msg; i++)
     break;
 
     default:  /* Must be an error of some sort... */
-    free (reply);
+    store_free (reply);
     pam_conv_had_error = TRUE;
     return PAM_CONV_ERR;
     }

src/src/auths/check_serv_cond.c

@@ -72,7 +72,7 @@ HDEBUG(D_auth)
       debug_printf("  $auth%d = %s\n", i + 1, auth_vars[i]);
     }
   for (i = 1; i <= expand_nmax; i++)
-    debug_printf("  $%d = %.*s\n", i, expand_nlength[i], expand_nstring[i]);
+    debug_printf("  $%u = %.*s\n", i, (unsigned int)expand_nlength[i], expand_nstring[i]);
   debug_print_string(ablock->server_debug_string);    /* customized debug */
   }
 

src/src/auths/cram_md5.c

@@ -97,7 +97,7 @@ compute_cram_md5(uschar *secret, uschar *challenge, uschar *digestptr)
 {
 md5 base;
 int i;
-int len = Ustrlen(secret);
+size_t len = Ustrlen(secret);
 uschar isecret[64];
 uschar osecret[64];
 uschar md5secret[16];
@@ -250,7 +250,7 @@ auth_cram_md5_client(
   smtp_outblock *outblock,               /* output connection */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* for reading response */
-  int buffsize)                          /* size of buffer */
+  size_t buffsize)                          /* size of buffer */
 {
 auth_cram_md5_options_block *ob =
   (auth_cram_md5_options_block *)(ablock->options_block);

src/src/auths/cram_md5.h

@@ -27,6 +27,6 @@ extern auth_cram_md5_options_block auth_cram_md5_option_defaults;
 extern void auth_cram_md5_init(auth_instance *);
 extern int auth_cram_md5_server(auth_instance *, uschar *);
 extern int auth_cram_md5_client(auth_instance *, smtp_inblock *,
-                                smtp_outblock *, int, uschar *, int);
+                                smtp_outblock *, int, uschar *, size_t);
 
 /* End of cram_md5.h */

src/src/auths/gsasl_exim.c

@@ -358,7 +358,7 @@ auth_gsasl_server(auth_instance *ablock, uschar *initial_data)
         auth_get_no64_data((uschar **)&received, (uschar *)to_send);
 
     if (to_send) {
-      free(to_send);
+      store_free(to_send);
       to_send = NULL;
     }
 

src/src/auths/heimdal_gssapi.c

@@ -160,8 +160,8 @@ auth_heimdal_gssapi_init(auth_instance *ablock)
             principal ? principal : "??",
             entry.vno,
             enctype_s ? enctype_s : "??");
-        free(principal);
-        free(enctype_s);
+        store_free(principal);
+        store_free(enctype_s);
         krb5_kt_free_entry(context, &entry);
       }
       krc = krb5_kt_end_seq_get(context, keytab, &cursor);
@@ -467,7 +467,7 @@ auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
 
         expand_nlength[1] = gbufdesc_out.length;
         auth_vars[0] = expand_nstring[1] =
-          string_copyn(gbufdesc_out.value, gbufdesc_out.length);
+          string_copyn(gbufdesc_out.value, (size_t)gbufdesc_out.length);
 
         if (expand_nmax == 0) { /* should be: authzid was empty */
           expand_nmax = 2;

src/src/auths/plaintext.c

@@ -159,7 +159,7 @@ auth_plaintext_client(
   smtp_outblock *outblock,               /* connection outblock */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* buffer for reading response */
-  int buffsize)                          /* size of buffer */
+  size_t buffsize)                          /* size of buffer */
 {
 auth_plaintext_options_block *ob =
   (auth_plaintext_options_block *)(ablock->options_block);
@@ -175,7 +175,9 @@ sent in response to subsequent prompts. Each is expanded before being sent. */
 
 while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) != NULL)
   {
-  int i, len, clear_len;
+  int i;
+  ssize_t clear_len;
+  size_t len;
   uschar *ss = expand_string(s);
   uschar *clear;
 

src/src/auths/plaintext.h

@@ -27,6 +27,6 @@ extern auth_plaintext_options_block auth_plaintext_option_defaults;
 extern void auth_plaintext_init(auth_instance *);
 extern int auth_plaintext_server(auth_instance *, uschar *);
 extern int auth_plaintext_client(auth_instance *, smtp_inblock *,
-                                 smtp_outblock *, int, uschar *, int);
+                                 smtp_outblock *, int, uschar *, size_t);
 
 /* End of plaintext.h */

src/src/auths/spa.c

@@ -259,7 +259,7 @@ auth_spa_client(
   smtp_outblock *outblock,               /* connection outblock */
   int timeout,                           /* command timeout */
   uschar *buffer,                        /* buffer for reading response */
-  int buffsize)                          /* size of buffer */
+  size_t buffsize)                          /* size of buffer */
 {
        auth_spa_options_block *ob =
                (auth_spa_options_block *)(ablock->options_block);

src/src/auths/spa.h

@@ -34,6 +34,6 @@ extern auth_spa_options_block auth_spa_option_defaults;
 extern void auth_spa_init(auth_instance *);
 extern int auth_spa_server(auth_instance *, uschar *);
 extern int auth_spa_client(auth_instance *, smtp_inblock *,
-                                 smtp_outblock *, int, uschar *, int);
+                                 smtp_outblock *, int, uschar *, size_t);
 
 /* End of spa.h */

src/src/auths/xtextencode.c

@@ -31,7 +31,7 @@ uschar *code;
 uschar *p = (uschar *)clear;
 uschar *pp;
 int c = len;
-int count = 1;
+size_t count = 1;
 register int x;
 
 /* We have to do a prepass to find out how many specials there are,