Fix use after free of a->mailbox due to missing strdup

Commit 87ae932 ("Directly add full mailbox to GPG search hints") changed crypt_add_string_to_hints(a->mailbox, &hints) to mutt_list_insert_tail(&hints, a->mailbox). However, there is a behavioural difference between the two functions: crypt_add_string_to_hints() adds a copy of the string to the list, while mutt_list_insert_tail() does not. This leads to a crash because the original a->mailbox is freed prematurely as part of the hints list. Fix this by adding a copy of the original to the list instead. Note that commit 87ae932 originally came from Mutt. Upstream is not affected by this however because their mutt_add_list() functions always copies the data.
neomutt · Oct 23, 2021 · a4a02a4 · a4a02a4
1 parent e9f3170
commit a4a02a4
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/ncrypt/crypt_gpgme.c b/ncrypt/crypt_gpgme.c
@@ -3581,7 +3581,7 @@ static struct CryptKeyInfo *crypt_getkeybyaddr(struct Address *a,
   *forced_valid = 0;
 
   if (a && a->mailbox)
-    mutt_list_insert_tail(&hints, a->mailbox);
+    mutt_list_insert_tail(&hints, mutt_str_dup(a->mailbox));
   if (a && a->personal)
     crypt_add_string_to_hints(a->personal, &hints);
 

diff --git a/ncrypt/pgpkey.c b/ncrypt/pgpkey.c
@@ -369,7 +369,7 @@ struct PgpKeyInfo *pgp_getkeybyaddr(struct Address *a, KeyFlags abilities,
   struct PgpUid *q = NULL;
 
   if (a->mailbox)
-    mutt_list_insert_tail(&hints, a->mailbox);
+    mutt_list_insert_tail(&hints, mutt_str_dup(a->mailbox));
   if (a->personal)
     pgp_add_string_to_hints(a->personal, &hints);