From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Sat, 13 Dec 2025 15:04:45 +0000 (+0200)
Subject: lib-var-expand: expansion-program - Limit input size
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2babe9a2d147c21ed0f2cf6b1b9aba46b1eb25c7;p=thirdparty%2Fdovecot%2Fcore.git

lib-var-expand: expansion-program - Limit input size

Allow at most 8192 bytes.
---

diff --git a/src/lib-var-expand/expansion-program.c b/src/lib-var-expand/expansion-program.c
index f0f16de605..c290cb06df 100644
--- a/src/lib-var-expand/expansion-program.c
+++ b/src/lib-var-expand/expansion-program.c
@@ -10,6 +10,8 @@
 #include "var-expand-parser.h"
 #include "expansion.h"
 
+#define MAX_PROGRAM_SIZE 8192
+
 extern void var_expand_parser_lex_init_extra(void*, void*);
 
 static const struct var_expand_params empty_params = {
@@ -22,6 +24,13 @@ int var_expand_program_create(const char *str,
 	int ret;
 	struct var_expand_parser_state state;
 	i_zero(&state);
+
+	if (strlen(str) > MAX_PROGRAM_SIZE) {
+		*error_r = t_strdup_printf("Program size exceeds maximum of %d bytes",
+					   MAX_PROGRAM_SIZE);
+		return -1;
+	}
+
 	pool_t pool =
 		pool_alloconly_create(MEMPOOL_GROWING"var expand program", 1024);
 	state.p = state.plist = p_new(pool, struct var_expand_program, 1);
diff --git a/src/lib-var-expand/test-var-expand.c b/src/lib-var-expand/test-var-expand.c
index b395b770ba..2a4db34944 100644
--- a/src/lib-var-expand/test-var-expand.c
+++ b/src/lib-var-expand/test-var-expand.c
@@ -670,6 +670,17 @@ static void test_var_expand_escape(void)
 		{ .in = "%{literal(\"\\\"\\\\hello\\\\world\\\"\")}", .out = "'\"\\hello\\world\"'", .ret = 0 },
 		/* Unsupported escape sequence */
 		{ .in = "%{literal('\\z')}", .out = "Invalid character escape", .ret = -1 },
+#define STR10(x) x x x x x x x x x x
+#define STR100(x) STR10(x) STR10(x) STR10(x) STR10(x) STR10(x) STR10(x) STR10(x) STR10(x) STR10(x) STR10(x)
+		/* Too long content */
+		{
+			.in = STR100("0123456789012345678901234567890123456789"
+				     "0123456789012345678901234567890123456789"
+				     "01234567890123456789"),
+			.out = "Program size exceeds maximum of 8192 bytes",
+			.ret = -1,
+		},
+
 	};
 
 	const struct var_expand_params params = {