From 7fe7a0316f7bc0c9111d00a2c916d87b3db47d0f Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 7 Sep 2021 11:47:50 +0200 Subject: [PATCH] Fix #81422: Potential double-free in mailparse_uudecode_all() We must not release the outpath multiple times. We also make sure that we only release the outpath of the part files, if the stream had been opened successfully. Closes GH-17. --- mailparse.c | 4 ++-- tests/bug81422.phpt | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 tests/bug81422.phpt diff --git a/mailparse.c b/mailparse.c index d4b0804..ffc0dfe 100644 --- a/mailparse.c +++ b/mailparse.c @@ -831,13 +831,13 @@ PHP_FUNCTION(mailparse_uudecode_all) array_init(&item); add_assoc_string(&item, "filename", ZSTR_VAL(outpath)); add_next_index_zval(return_value, &item); + zend_string_release(outpath); } /* add an item */ array_init(&item); add_assoc_string(&item, "origfilename", origfilename); - zend_string_release(outpath); /* create a temp file for the data */ partstream = _mailparse_create_stream(&outpath); if (partstream) { @@ -848,8 +848,8 @@ PHP_FUNCTION(mailparse_uudecode_all) /* decode it */ mailparse_do_uudecode(instream, partstream); php_stream_close(partstream); + zend_string_release(outpath); } - zend_string_release(outpath); } else { /* write to the output file */ php_stream_write_string(outstream, buffer); diff --git a/tests/bug81422.phpt b/tests/bug81422.phpt new file mode 100644 index 0000000..6368e5a --- /dev/null +++ b/tests/bug81422.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #81422 (Potential double-free in mailparse_uudecode_all()) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +int(3)