HCoop / jackhill / guix / guix.git / blame
| Commit | Line | Data |
|---|---|---|
| 090456da LLB |
1 | From f2380a53fb84d370eaf6e6c3473062c54c57fac7 Mon Sep 17 00:00:00 2001 |
| 2 | From: Oliver Giles <ohw.giles@gmail.com> | |
| 3 | Date: Mon, 1 Feb 2021 10:12:16 +1300 | |
| 4 | Subject: [PATCH] Prevent potential double-free in TNEFSubjectHandler | |
| 5 | ||
| 6 | If TNEFSubjectHandler is called multiple times, but the last time | |
| 7 | failed due to the PREALLOCCHECK, the subject.data member will be | |
| 8 | a freed, but invalid pointer. To prevent a double-free next time | |
| 9 | TNEFSubjectHandler is entered, set it to zero after freeing. | |
| 10 | ||
| 11 | Resolves: #85 | |
| 12 | Reported-by: jasperla | |
| 13 | --- | |
| 14 | lib/ytnef.c | 4 +++- | |
| 15 | 1 file changed, 3 insertions(+), 1 deletion(-) | |
| 16 | ||
| 17 | diff --git a/lib/ytnef.c b/lib/ytnef.c | |
| 18 | index b148719..b06c807 100644 | |
| 19 | --- a/lib/ytnef.c | |
| 20 | +++ b/lib/ytnef.c | |
| 21 | @@ -301,8 +301,10 @@ int TNEFFromHandler STD_ARGLIST { | |
| 22 | } | |
| 23 | // ----------------------------------------------------------------------------- | |
| 24 | int TNEFSubjectHandler STD_ARGLIST { | |
| 25 | - if (TNEF->subject.data) | |
| 26 | + if (TNEF->subject.data) { | |
| 27 | free(TNEF->subject.data); | |
| 28 | + TNEF->subject.data = NULL; | |
| 29 | + } | |
| 30 | ||
| 31 | PREALLOCCHECK(size, 100); | |
| 32 | TNEF->subject.data = calloc(size+1, sizeof(BYTE)); |