[exim-dev] [Bug 1629] New: Missing Sanity Checks for malloc…

https://bugs.exim.org/show_bug.cgi?id=1629

            Bug ID: 1629
           Summary: Missing Sanity Checks for malloc()/calloc() plus poss.
                    memory leak in demime.c
           Product: Exim
           Version: 4.85
          Hardware: All
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Filters
          Assignee: nigel@???
          Reporter: wp02855@???
                CC: exim-dev@???

Created attachment 809
--> https://bugs.exim.org/attachment.cgi?id=809&action=edit
Patch file for above bug report...

--- demime.c.orig    2015-05-07 13:44:15.914876936 -0700
+++ demime.c    2015-05-07 14:03:32.044815106 -0700
@@ -538,6 +538,7 @@
   work = (uschar *)malloc(line_len);
   if (work == NULL) {
     (void)string_format(info, 1024,"unable to allocate %lu bytes",line_len);
+    free(data);    /* fix possible memory leak here? */
     return -2;
   };

@@ -952,9 +953,20 @@
               else {
                 struct file_extension *this_extension =
                   (struct file_extension *)malloc(sizeof(file_extension));
+        if (*this_extension == NULL) {
+          (void)string_format(info, 1024,"unable to allocate %u
bytes",sizeof(file_extension));
+          free(line);
+          return DEFER;
+        }

                 this_extension->file_extension_string =
                   (uschar *)malloc(Ustrlen(mime_part_p.extension)+1);
+        if (this->extension->file_extension_string == NULL) {
+          (void)string_format(info, 1024,"unable to allocate %u
bytes",Ustrlen(meme_part_p.extension)+1);
+          free(this_extension);    /* free prev allocated memory */
+          free(line);
+          return DEFER;
+        }
                 Ustrcpy(this_extension->file_extension_string,
                         mime_part_p.extension+1);
                 this_extension->next = file_extensions;
@@ -973,6 +985,13 @@
             }
             else {
               thisboundary = (struct boundary*)malloc(sizeof(boundary));
+          if (thisboundary == NULL) {
+        (void)string_format(info, 1024,"unable to allocate %u
bytes",sizeof(boundary));
+        free(this_extension->file_extension_string);
+        free(this_extension);
+        free(line);
+        return DEFER;
+          }
               thisboundary->next = boundaries;
               thisboundary->boundary_string = value;
               boundaries = thisboundary;
@@ -1026,9 +1045,19 @@
               else {
                 struct file_extension *this_extension =
                   (struct file_extension *)malloc(sizeof(file_extension));
-
+        if (*this_extension == NULL) {
+          (void)string_format(info, 1024,"unable to allocate %u
bytes",sizeof(file_extension));
+          free(line);
+          return DEFER;
+        }
                 this_extension->file_extension_string =
                   (uschar *)malloc(Ustrlen(mime_part_p.extension)+1);
+        if (this_extension->file_extension_string == NULL) {
+          (void)string_format(info, 1024,"unable to allocate %u
bytes",Ustrlen(mime_part_p.extension)+1);
+          free(this_extension);
+          free(line);
+          return DEFER;
+        }
                 Ustrcpy(this_extension->file_extension_string,
                         mime_part_p.extension+1);
                 this_extension->next = file_extensions;

--
You are receiving this mail because:
You are on the CC list for the bug.