From 05bf16f6217e93594929c8bbbbbc852caf3ed374 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 12 Feb 2019 16:52:51 +0000
Subject: [PATCH] Fix transport buffer size handling Broken-by: 59932f7dcd

---
 doc/doc-txt/ChangeLog | 3 +++
 src/src/transport.c   | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9313c7b28..18db733aa 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -22,6 +22,9 @@ JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
 
 JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
 
+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+
 
 Exim version 4.92
 -----------------
diff --git a/src/src/transport.c b/src/src/transport.c
index 0fa90cb04..f34db0914 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1108,13 +1108,13 @@ DEBUG(D_transport)
 
 if (!(tctx->options & topt_no_body))
   {
-  int size = size_limit;
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;
 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;
-  while (  (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0
 	&& (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))
-- 
2.25.1