[Users] [Bug 3598] use after free in function summary_execute_move_func()

Sat Jan 23 12:47:29 CET 2016

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3598

--- Comment #1 from Andrej Kacian <andrej at kacian.sk> ---
I am not familiar with how exactly asan works, but from the attachment I get
the impression that it overwrites (marks) freed heap memory areas with
arbitrary bytes. Could this bug then be triggered by procmsg_msginfo_free() not
zeroing out pointers to memory it frees?

I can see that e.g. in summary_execute_move_func(), if the "msginfo" pointer
points to a freed memory (perhaps freed by messageview_clear(), called from
summary_unthread_for_exec(), which itself is called one or two stack frames
above and before summary_execute_move_func()), and asan overwriting the freed
memory with 0xfd, how most of the conditions touching the "msginfo" pointer in
this functions would evaluate to true:

line 5185:   if (msginfo && MSG_IS_MOVE(msginfo->flags) && msginfo->to_folder)
{

line 5197:      if (prefs_common.thread_by_subject &&
          msginfo->subject && *msginfo->subject &&
          node == subject_table_lookup(summaryview->subject_table,
               msginfo->subject)) {

Possible solution: perhaps have procmsg_msginfo_free() assign NULL to each
pointer to memory it frees? E.g.:

g_free(msginfo->fromspace);
msginfo->fromspace = NULL;

-- 
You are receiving this mail because:
You are the assignee for the bug.