[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Nmh-workers] Fix for a mhshow double free crash
From: |
Josh Bressers |
Subject: |
[Nmh-workers] Fix for a mhshow double free crash |
Date: |
Thu, 03 Nov 2005 14:51:10 -0500 |
I received a bug report today regarding a double free error in mhshow:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172388
When you try to display a multipart message with mhshow where one of the
sections has an empty Content-Type, mhshow will try to close a file stream
twice.
What's happening is that in the InitMultiPart() function, the file stream
is being passed to the get_content() function, which when it encounters an
error, closes the filestream and return NULL. The InitMultiPart() function
will also try to close the filestream if get_content returns NULL.
The patch is trivial:
Index: uip/mhparse.c
===================================================================
RCS file: /cvsroot/nmh/nmh/uip/mhparse.c,v
retrieving revision 1.11
diff -a -u -r1.11 mhparse.c
--- uip/mhparse.c 30 Sep 2003 16:58:43 -0000 1.11
+++ uip/mhparse.c 3 Nov 2005 19:45:45 -0000
@@ -1056,7 +1056,6 @@
if (!(p = get_content (fp, ct->c_file,
ct->c_subtype == MULTI_DIGEST ? -1 : 0))) {
- fclose (ct->c_fp);
ct->c_fp = NULL;
return NOTOK;
}
There is a reproducer at the above URL.
--
JB
- [Nmh-workers] Fix for a mhshow double free crash,
Josh Bressers <=