From 0f8814a1d8db65d1815a6a544a08fb2b6b9207ed Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Mon, 11 Sep 2023 15:50:35 +0100
Subject: [PATCH] Fix ${tr...} and empty-strings.  Bug 3023

(cherry picked from commit b015574531cf18b2126edb9da5a99dad659207dd)
---
 doc/ChangeLog        | 3 +++
 src/expand.c             | 9 ++++-----
 test/scripts/0000-Basic/0002 | 1 +
 test/stdout/0002             | 1 +
 4 files changed, 9 insertions(+), 5 deletions(-)

--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -85,10 +85,13 @@ JH/34 Bug 3013: Fix use of $recipients w
       In 4.96 this would expand to empty.
 
 JH/35 Bug 3014: GnuTLS: fix expiry date for an auto-generated server
       certificate.  Find and fix by Andreas Metzler.
 
+JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
+      and ${tr...}.  Found and diagnosed by Heiko Schlichting.
+
 Exim version 4.96
 -----------------
 
 JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
       after reception to before a subsequent reception.  This should
--- a/src/expand.c
+++ b/src/expand.c
@@ -5696,20 +5696,19 @@ while (*s)
         case 1: goto EXPAND_FAILED_CURLY;
         case 2:
         case 3: goto EXPAND_FAILED;
         }
 
-      yield = string_cat(yield, sub[0]);
-      o2m = Ustrlen(sub[2]) - 1;
-
-      if (o2m >= 0) for (; oldptr < yield->ptr; oldptr++)
+      if (  (yield = string_cat(yield, sub[0]))
+         && (o2m = Ustrlen(sub[2]) - 1) >= 0)
+	  for (; oldptr < yield->ptr; oldptr++)
         {
         uschar *m = Ustrrchr(sub[1], yield->s[oldptr]);
         if (m)
           {
           int o = m - sub[1];
-          yield->s[oldptr] = sub[2][(o < o2m)? o : o2m];
+          yield->s[oldptr] = sub[2][o < o2m ? o : o2m];
           }
         }
 
       if (skipping) continue;
       break;