gnu/packages/patches/ytnef-CVE-2021-3403.patch

   1 From f2380a53fb84d370eaf6e6c3473062c54c57fac7 Mon Sep 17 00:00:00 2001
   2 From: Oliver Giles <ohw.giles@gmail.com>
   3 Date: Mon, 1 Feb 2021 10:12:16 +1300
   4 Subject: [PATCH] Prevent potential double-free in TNEFSubjectHandler
   5
   6 If TNEFSubjectHandler is called multiple times, but the last time
   7 failed due to the PREALLOCCHECK, the subject.data member will be
   8 a freed, but invalid pointer. To prevent a double-free next time
   9 TNEFSubjectHandler is entered, set it to zero after freeing.
  10
  11 Resolves: #85
  12 Reported-by: jasperla
  13 ---
  14  lib/ytnef.c | 4 +++-
  15  1 file changed, 3 insertions(+), 1 deletion(-)
  16
  17 diff --git a/lib/ytnef.c b/lib/ytnef.c
  18 index b148719..b06c807 100644
  19 --- a/lib/ytnef.c
  20 +++ b/lib/ytnef.c
  21 @@ -301,8 +301,10 @@ int TNEFFromHandler STD_ARGLIST {
  22  }
  23  // -----------------------------------------------------------------------------
  24  int TNEFSubjectHandler STD_ARGLIST {
  25 -  if (TNEF->subject.data)
  26 +  if (TNEF->subject.data) {
  27      free(TNEF->subject.data);
  28 +    TNEF->subject.data = NULL;
  29 +  }
  30
  31    PREALLOCCHECK(size, 100);
  32    TNEF->subject.data = calloc(size+1, sizeof(BYTE));