[balsa] Fix a use-after-free bug



commit 75bb63899156fbb618107a890322b4e8bd8e0fa0
Author: Peter Bloomfield <PeterBloomfield bellsouth net>
Date:   Thu Jan 4 17:25:04 2018 -0500

    Fix a use-after-free bug
    
    The format string for message dates is saved and restored between
    sessions, but the string is freed if any preference is changed in the
    preferences window. To avoid using it after it is freed, get the current
    string indirectly from balsa_app.date_string.
    
        * libbalsa/mailbox.c (mbox_model_get_value): get the date format
        string indirectly through balsa_app.date_string.
        * libbalsa/mailbox.h: declare libbalsa_mailbox_date_format as
        gchar **.
        * src/main.c (real_main): initialize it here
        * src/save-restore.c (config_global_load): ...not here.

 ChangeLog          |   11 +++++++++++
 libbalsa/mailbox.c |    4 ++--
 libbalsa/mailbox.h |    2 +-
 src/main.c         |    2 ++
 src/save-restore.c |    1 -
 5 files changed, 16 insertions(+), 4 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 9f42986..f82dffc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-01-04  Peter Bloomfield  <pbloomfield bellsouth net>
+
+       Fix a use-after-free bug
+
+       * libbalsa/mailbox.c (mbox_model_get_value): get the date format
+       string indirectly through balsa_app.date_string.
+       * libbalsa/mailbox.h: declare libbalsa_mailbox_date_format as
+       gchar **.
+       * src/main.c (real_main): initialize it here
+       * src/save-restore.c (config_global_load): ...not here.
+
 2017-12-11  Peter Bloomfield  <pbloomfield bellsouth net>
 
        Avoid possible repeated dynamic cast
diff --git a/libbalsa/mailbox.c b/libbalsa/mailbox.c
index 63c0432..df907af 100644
--- a/libbalsa/mailbox.c
+++ b/libbalsa/mailbox.c
@@ -2922,7 +2922,7 @@ lbm_get_index_entry(LibBalsaMailbox * lmm, guint msgno)
     return entry;
 }
 
-gchar *libbalsa_mailbox_date_format;
+gchar **libbalsa_mailbox_date_format;
 static void
 mbox_model_get_value(GtkTreeModel *tree_model,
                      GtkTreeIter  *iter,
@@ -2972,7 +2972,7 @@ mbox_model_get_value(GtkTreeModel *tree_model,
     case LB_MBOX_DATE_COL:
         if(msg) {
             tmp = libbalsa_date_to_utf8(msg->msg_date,
-                                       libbalsa_mailbox_date_format);
+                                       *libbalsa_mailbox_date_format);
             g_value_take_string(value, tmp);
         }
         break;
diff --git a/libbalsa/mailbox.h b/libbalsa/mailbox.h
index 7920399..58b6ba9 100644
--- a/libbalsa/mailbox.h
+++ b/libbalsa/mailbox.h
@@ -671,6 +671,6 @@ typedef enum {
     LB_MBOX_N_COLS
 } LibBalsaMailboxColumn;
 
-extern gchar *libbalsa_mailbox_date_format;
+extern gchar **libbalsa_mailbox_date_format;
 
 #endif                         /* __LIBBALSA_MAILBOX_H__ */
diff --git a/src/main.c b/src/main.c
index 6f60f30..77eb9dd 100644
--- a/src/main.c
+++ b/src/main.c
@@ -540,6 +540,8 @@ real_main(int argc, char *argv[])
     libbalsa_progress_set_fraction = balsa_progress_set_fraction;
     libbalsa_progress_set_activity = balsa_progress_set_activity;
 
+    libbalsa_mailbox_date_format = &balsa_app.date_string;
+
     /* checking for valid config files */
     config_init(cmd_get_stats);
 
diff --git a/src/save-restore.c b/src/save-restore.c
index 24a9e62..50e0243 100644
--- a/src/save-restore.c
+++ b/src/save-restore.c
@@ -668,7 +668,6 @@ config_global_load(void)
     g_free(balsa_app.date_string);
     balsa_app.date_string =
        libbalsa_conf_get_string("DateFormat=" DEFAULT_DATE_FORMAT);
-    libbalsa_mailbox_date_format = balsa_app.date_string;
 
     /* ... Headers to show */
     balsa_app.shown_headers = d_get_gint("ShownHeaders", HEADERS_SELECTED);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]