Fix double free crash

gpg.c Under certain circumstances setting plain_str[len] to 0 might lead to crash and it does not follow the best practices as well. This change allows better handling of buffer copying and prevents crash. ox.c In this implementation gpg buffer remains untouched. So it's just a code clean up, not a fix.
profanity-im · Apr 12, 2023 · d71cf84 · d71cf84
1 parent ef38106
commit d71cf84
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/src/pgp/gpg.c b/src/pgp/gpg.c
@@ -721,10 +721,9 @@ p_gpg_decrypt(const char* const cipher)
     char* plain_str = gpgme_data_release_and_get_mem(plain_data, &len);
     char* result = NULL;
     if (plain_str) {
-        plain_str[len] = 0;
-        result = g_strdup(plain_str);
+        result = g_strndup(plain_str, len);
+        gpgme_free(plain_str);
     }
-    gpgme_free(plain_str);
 
     if (passphrase_attempt) {
         passphrase = strdup(passphrase_attempt);

diff --git a/src/pgp/ox.c b/src/pgp/ox.c
@@ -419,10 +419,12 @@ p_ox_gpg_decrypt(char* base64)
 
     size_t len;
     char* plain_str = gpgme_data_release_and_get_mem(plain, &len);
-    char* result = malloc(len + 1);
-    memcpy(result, plain_str, len);
-    result[len] = '\0';
-    gpgme_free(plain_str);
+    char* result = NULL;
+    if (plain_str) {
+        result = g_strndup(plain_str, len);
+        gpgme_free(plain_str);
+    }
+
     return result;
 }