[Users] [Bug 3598] use after free in function summary_execute_move_func()

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Sat Jan 23 13:42:07 CET 2016


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3598

--- Comment #3 from Andrej Kacian <andrej at kacian.sk> ---
That's (In reply to comment #2)
> Essentially each line like this:
> procmsg_msginfo_free(msginfo);
> would need a
> msginfo = NULL;
> after it.
> 
> Not sure how to start tackling this, it seems a lot of work. (But would
> probably increase overall stability, these uaf issues can lead to weird
> instability behavior.)

Yes, that was my proposed solution. I think a "msginfo = NULL;" line at the end
of procmsg_msginfo_free() should be enough to fix this particular
use-after-free instance, as that function is the only way we use to free the
heap-allocated MsgInfo structs.

Setting all the pointer members of MsgInfo to NULL in procmsg_msginfo_free() is
a nice safety bonus, and shouldn't incur much performance penalty.

-- 
You are receiving this mail because:
You are the assignee for the bug.



More information about the Users mailing list