From 21b172df101c2c52faf0cc56a502395451975be9 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 24 Aug 2023 15:51:21 +0100
Subject: [PATCH 2/2] Re-fix live variable $value free.  The inital fix
 resulted in $value from ${run...} not being available later, which is a
 documented feature.

Broken=by: cf3fecb9e873
---
 doc/doc-docbook/spec.xfpt |  1 +
 doc/ChangeLog     |  4 ++--
 src/exim.c            |  3 ++-
 test/confs/0635           |  1 +
 test/log/0635             |  1 +
 test/mail/0635.CALLER     | 13 +++++++++++++
 6 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 test/mail/0635.CALLER

--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -76,10 +76,13 @@ JH/31 Bug 2998: Fix ${utf8clean:...} to
       editor insists on emitting only valid UTF-8.
 
 JH/32 Fix "tls_dhparam = none" under GnuTLS.  At least with 3.7.9 this gave
       a null-indireciton SIGSEGV for the receive process.
 
+JH/33 Fix free for live variable $value created by a ${run ...} expansion during
+      -bh use.  Internal checking would spot this and take a panic.
+
 JH/34 Bug 3013: Fix use of $recipients within arguments for ${run...}.
       In 4.96 this would expand to empty.
 
 JH/35 Bug 3014: GnuTLS: fix expiry date for an auto-generated server
       certificate.  Find and fix by Andreas Metzler.
--- a/src/exim.c
+++ b/src/exim.c
@@ -5754,11 +5754,11 @@ for (BOOL more = TRUE; more; )
     for (int i = 0; i < count; i++)
       {
       int start, end, domain;
       uschar * errmess;
       /* There can be multiple addresses, so EXIM_DISPLAYMAIL_MAX (tuned for 1) is too short.
-       * We'll still want to cap it to something, just in case. */
+      We'll still want to cap it to something, just in case. */
       uschar * s = string_copy_taint(
 	exim_str_fail_toolong(list[i], BIG_BUFFER_SIZE, "address argument"),
 	GET_TAINTED);
 
       /* Loop for each comma-separated address */
@@ -6089,10 +6089,11 @@ MORELOOP:
   callout_address = NULL;
   sending_ip_address = NULL;
   deliver_localpart_data = deliver_domain_data =
   recipient_data = sender_data = NULL;
   acl_var_m = NULL;
+  lookup_value = NULL;                            /* Can be set by ACL */
 
   store_reset(reset_point);
   }
 
 exim_exit(EXIT_SUCCESS);   /* Never returns */
--- a/doc/spec.txt
+++ b/doc/spec.txt
@@ -9650,10 +9650,13 @@ ${run <options> {<command arg list>}{<st
     If the command requires shell idioms, such as the > redirect operator, the
     shell must be invoked directly, such as with:
 
     ${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}}
 
+    Note that $value will not persist beyond the reception of a single
+    message.
+
     The return code from the command is put in the variable $runrc, and this
     remains set afterwards, so in a filter file you can do things like this:
 
     if "${run{x y z}{}}$runrc" is 1 then ...
       elif $runrc is 2 then ...