if (ob->server_param2)\r
{\r
uschar * s = expand_string(ob->server_param2);\r
-diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c\r
-index 222ccea..66967d6 100644\r
---- a/src/src/auths/spa.c\r
-+++ b/src/src/auths/spa.c\r
-@@ -166,12 +166,18 @@ if (auth_get_no64_data(&data, msgbuf) != OK)\r
- return FAIL;\r
- \r
- /* dump client response */\r
--if (spa_base64_to_bits(CS &response, sizeof(response), CCS data) < 0)\r
-+int l = spa_base64_to_bits(CS &response, sizeof(response), CCS data);\r
-+if (l < 0)\r
- {\r
- DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "\r
- "response: %s\n", data);\r
- return FAIL;\r
- }\r
-+if(l < (char *)&response.buffer - (char *)&response)return FAIL;\r
-+unsigned long o = IVAL(&response.uUser.offset, 0);\r
-+if((l < o) || (l - o < SVAL(&response.uUser.len, 0)))return FAIL;\r
-+o = IVAL(&response.ntResponse.offset, 0);\r
-+if((l < o) || (l - o < 24))return FAIL;\r
- \r
- /***************************************************************\r
- PH 07-Aug-2003: The original code here was this:\r
-@@ -346,7 +352,10 @@ if (!smtp_read_response(sx, US buffer, buffsize, '3', timeout))\r
- \r
- /* convert the challenge into the challenge struct */\r
- DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);\r
--spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));\r
-+int l = spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));\r
-+if((l < 0) || (l < (char *)&challenge.buffer - (char *)&challenge))return FAIL;\r
-+unsigned long o = IVAL(&challenge.uDomain.offset, 0);\r
-+if((l < o) || (l - o < SVAL(&challenge.uDomain.len, 0)))return FAIL;\r
- \r
- spa_build_auth_response(&challenge, &response, CS username, CS password);\r
- spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));\r
diff --git a/src/src/proxy.c b/src/src/proxy.c\r
index fbce111..8dd7034 100644\r
--- a/src/src/proxy.c\r