Browse code
fuzz-20756: Fix memory leak in mail parser
Fixes at least one memory leak in the mail parser caused by improper
cleanup of multipart messages.
Micah Snyder authored on 2020/07/30 06:14:43Showing 1 changed files
| ... | ... |
@@ -1876,9 +1876,9 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 1876 | 1876 |
free((char *)boundary); |
| 1877 | 1877 |
mimeType = NOMIME; |
| 1878 | 1878 |
/* |
| 1879 |
- * The break means that we will still |
|
| 1880 |
- * check if the file contains a yEnc/binhex file |
|
| 1881 |
- */ |
|
| 1879 |
+ * The break means that we will still |
|
| 1880 |
+ * check if the file contains a yEnc/binhex file |
|
| 1881 |
+ */ |
|
| 1882 | 1882 |
break; |
| 1883 | 1883 |
} |
| 1884 | 1884 |
/* |
| ... | ... |
@@ -2217,7 +2217,14 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2217 | 2217 |
free((char *)boundary); |
| 2218 | 2218 |
|
| 2219 | 2219 |
if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx, &rc)) {
|
| 2220 |
- DO_FREE(messages); |
|
| 2220 |
+ if (messages) {
|
|
| 2221 |
+ for (i = 0; i < multiparts; i++) {
|
|
| 2222 |
+ if (messages[i]) |
|
| 2223 |
+ messageDestroy(messages[i]); |
|
| 2224 |
+ } |
|
| 2225 |
+ free(messages); |
|
| 2226 |
+ messages = NULL; |
|
| 2227 |
+ } |
|
| 2221 | 2228 |
break; |
| 2222 | 2229 |
} |
| 2223 | 2230 |
|
| ... | ... |
@@ -2254,10 +2261,12 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2254 | 2254 |
|
| 2255 | 2255 |
if (infected || ((multiparts == 0) && (aText == NULL))) {
|
| 2256 | 2256 |
if (messages) {
|
| 2257 |
- for (i = 0; i < multiparts; i++) |
|
| 2257 |
+ for (i = 0; i < multiparts; i++) {
|
|
| 2258 | 2258 |
if (messages[i]) |
| 2259 | 2259 |
messageDestroy(messages[i]); |
| 2260 |
+ } |
|
| 2260 | 2261 |
free(messages); |
| 2262 |
+ messages = NULL; |
|
| 2261 | 2263 |
} |
| 2262 | 2264 |
if (aText && (textIn == NULL)) |
| 2263 | 2265 |
textDestroy(aText); |
| ... | ... |
@@ -2451,12 +2460,14 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2451 | 2451 |
textDestroy(aText); |
| 2452 | 2452 |
} |
| 2453 | 2453 |
|
| 2454 |
- for (i = 0; i < multiparts; i++) |
|
| 2455 |
- if (messages[i]) |
|
| 2456 |
- messageDestroy(messages[i]); |
|
| 2457 |
- |
|
| 2458 |
- if (messages) |
|
| 2454 |
+ if (messages) {
|
|
| 2455 |
+ for (i = 0; i < multiparts; i++) {
|
|
| 2456 |
+ if (messages[i]) |
|
| 2457 |
+ messageDestroy(messages[i]); |
|
| 2458 |
+ } |
|
| 2459 | 2459 |
free(messages); |
| 2460 |
+ messages = NULL; |
|
| 2461 |
+ } |
|
| 2460 | 2462 |
|
| 2461 | 2463 |
#if HAVE_JSON |
| 2462 | 2464 |
mctx->wrkobj = saveobj; |
| ... | ... |
@@ -2518,8 +2529,15 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2518 | 2518 |
|
| 2519 | 2519 |
if (mainMessage && (mainMessage != messageIn)) |
| 2520 | 2520 |
messageDestroy(mainMessage); |
| 2521 |
- if (messages) |
|
| 2521 |
+ |
|
| 2522 |
+ if (messages) {
|
|
| 2523 |
+ for (i = 0; i < multiparts; i++) {
|
|
| 2524 |
+ if (messages[i]) |
|
| 2525 |
+ messageDestroy(messages[i]); |
|
| 2526 |
+ } |
|
| 2522 | 2527 |
free(messages); |
| 2528 |
+ messages = NULL; |
|
| 2529 |
+ } |
|
| 2523 | 2530 |
#if HAVE_JSON |
| 2524 | 2531 |
mctx->wrkobj = saveobj; |
| 2525 | 2532 |
#endif |
| ... | ... |
@@ -2567,7 +2585,12 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
| 2567 | 2567 |
if (messages) {
|
| 2568 | 2568 |
/* "can't happen" */ |
| 2569 | 2569 |
cli_warnmsg("messages != NULL\n");
|
| 2570 |
+ for (i = 0; i < multiparts; i++) {
|
|
| 2571 |
+ if (messages[i]) |
|
| 2572 |
+ messageDestroy(messages[i]); |
|
| 2573 |
+ } |
|
| 2570 | 2574 |
free(messages); |
| 2575 |
+ messages = NULL; |
|
| 2571 | 2576 |
} |
| 2572 | 2577 |
} |
| 2573 | 2578 |
|