========================================================================
CVE-2020-PFPZA -- Heap out-of-bounds write in parse_fix_phrase()
========================================================================

If a local attacker executes Exim with an empty originator_name (-F ''),
then parse_fix_phrase() allocates a zero-sized buffer (at line 982), but
writes a null byte to buffer[1] (at line 1149):

4772 originator_name = parse_fix_phrase(originator_name, Ustrlen(originator_name));

 960 const uschar *
 961 parse_fix_phrase(const uschar *phrase, int len)
 962 {
 ...
 982 buffer = store_get(len*4, is_tainted(phrase));
 983
 984 s = phrase;
 985 end = s + len;
 986 yield = t = buffer + 1;
 987
 988 while (s < end)
 989   {
....
1147   }
1148
1149 *t = 0;

/usr/sbin/exim4 -bt -F ''

We have not tried to exploit this vulnerability; if exploitable, it
would allow an unprivileged local attacker to obtain full root
privileges.

