[Users] [Bug 3598] use after free in function summary_execute_move_func()
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Sat Jan 23 13:32:15 CET 2016
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3598
--- Comment #2 from Hanno Boeck <hanno at hboeck.de> ---
What asan does is esentially that it records freed memory and will throw an
error if you try to access it.
Your code lines both seem problematic:
line 5185: if (msginfo && MSG_IS_MOVE(msginfo->flags) && msginfo->to_folder)
{
This seems to assume that "if (msginfo" will tell you whether msginfo contains
a valid object, i.e. it must contain a null pointer if it doesn't.
In order to have this guarantee you must
a) pre-initialize the pointer with null
b) make sure on every free it get's assigned null
There are many such checks in the code.
line 5197: if (prefs_common.thread_by_subject &&
msginfo->subject && *msginfo->subject &&
node == subject_table_lookup(summaryview->subject_table,
msginfo->subject)) {
This is the same issue, except that it seems to expect msginfo->subject to be
always null.
This seems like a bigger issue that is scattered throughout the codebase...
Essentially each line like this:
procmsg_msginfo_free(msginfo);
would need a
msginfo = NULL;
after it.
Not sure how to start tackling this, it seems a lot of work. (But would
probably increase overall stability, these uaf issues can lead to weird
instability behavior.)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list