exim: fix crash on startup if log_buffer is allocated right after taint pool

The check whether a block of memory is tainted erroneously returns true
if the block in question starts the very next byte after a block in the
tainted pool. Depending on the memory allocator, this can cause problems.
For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted
block immediately before log_buffer. This leads to a recursive error in
log_write the first time anything is written to the log, leading to a
segmentation fault when the stack fills up.

3 files changed, 25 insertions, 3 deletions

diff --git a/mail/exim/Makefile b/mail/exim/Makefile
index a4a960cbead..1ba4150a0cc 100644
--- a/mail/exim/Makefile
+++ b/mail/exim/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.180 2020/06/02 08:24:14 adam Exp $
+# $NetBSD: Makefile,v 1.181 2020/08/20 16:40:57 gavan Exp $
 
 DISTNAME=	exim-4.94
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	mail net
 MASTER_SITES=	ftp://ftp.exim.org/pub/exim/exim4/
 MASTER_SITES+=	https://ftp.exim.org/pub/exim/exim4/
diff --git a/mail/exim/distinfo b/mail/exim/distinfo
index 0d2d8f42c62..b45efa9b780 100644
--- a/mail/exim/distinfo
+++ b/mail/exim/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.77 2020/06/01 19:42:48 adam Exp $
+$NetBSD: distinfo,v 1.78 2020/08/20 16:40:57 gavan Exp $
 
 SHA1 (exim-4.94.tar.xz) = 60323c206be7d9f535c4bd369b470a514e489cd5
 RMD160 (exim-4.94.tar.xz) = 6b51d059d9667c732df9ccb87f0de9b341c35281
@@ -9,3 +9,4 @@ SHA1 (patch-OS_Makefile-Default) = 6af17f036ed02a3bc37c1f303269eea447fcb691
 SHA1 (patch-lookups_Makefile) = cfc40dba3f75ef37b9887f7767139ad50cf9d4e5
 SHA1 (patch-scripts_exim__install) = aa0a31e77d5f76e33bc92140c14d39c79f710b95
 SHA1 (patch-src_exicyclog.src) = cea5f04f52c9264fd7d279c046686dac2dc57a65
+SHA1 (patch-src_store.c) = db12aefb50c2741cb525b7363c4bafbe353dfc5f
diff --git a/mail/exim/patches/patch-src_store.c b/mail/exim/patches/patch-src_store.c
new file mode 100644
index 00000000000..29f9cd12807
--- /dev/null
+++ b/mail/exim/patches/patch-src_store.c
@@ -0,0 +1,21 @@
+$NetBSD: patch-src_store.c,v 1.1 2020/08/20 16:40:57 gavan Exp $
+
+--- src/store.c.orig	2020-05-30 20:35:38.000000000 +0000
++++ src/store.c
+@@ -188,14 +188,14 @@ for (int pool = POOL_TAINT_BASE; pool < 
+   if ((b = current_block[pool]))
+     {
+     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
+-    if (US p >= bc && US p <= bc + b->length) return TRUE;
++    if (US p >= bc && US p < bc + b->length) return TRUE;
+     }
+ 
+ for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
+   for (b = chainbase[pool]; b; b = b->next)
+     {
+     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
+-    if (US p >= bc && US p <= bc + b->length) return TRUE;
++    if (US p >= bc && US p < bc + b->length) return TRUE;
+     }
+ return FALSE;
+ }