From f2380a53fb84d370eaf6e6c3473062c54c57fac7 Mon Sep 17 00:00:00 2001 From: Oliver Giles Date: Mon, 1 Feb 2021 10:12:16 +1300 Subject: [PATCH] Prevent potential double-free in TNEFSubjectHandler If TNEFSubjectHandler is called multiple times, but the last time failed due to the PREALLOCCHECK, the subject.data member will be a freed, but invalid pointer. To prevent a double-free next time TNEFSubjectHandler is entered, set it to zero after freeing. Resolves: #85 Reported-by: jasperla --- lib/ytnef.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/ytnef.c b/lib/ytnef.c index b148719..b06c807 100644 --- a/lib/ytnef.c +++ b/lib/ytnef.c @@ -301,8 +301,10 @@ int TNEFFromHandler STD_ARGLIST { } // ----------------------------------------------------------------------------- int TNEFSubjectHandler STD_ARGLIST { - if (TNEF->subject.data) + if (TNEF->subject.data) { free(TNEF->subject.data); + TNEF->subject.data = NULL; + } PREALLOCCHECK(size, 100); TNEF->subject.data = calloc(size+1, sizeof(BYTE));