https://bugs.exim.org/show_bug.cgi?id=1629
Bug ID: 1629 Summary: Missing Sanity Checks for malloc()/calloc() plus poss. memory leak in demime.c Product: Exim Version: 4.85 Hardware: All OS: All Status: NEW Severity: bug Priority: medium Component: Filters Assignee: ni...@exim.org Reporter: wp02...@gmail.com CC: exim-dev@exim.org Created attachment 809 --> https://bugs.exim.org/attachment.cgi?id=809&action=edit Patch file for above bug report... --- demime.c.orig 2015-05-07 13:44:15.914876936 -0700 +++ demime.c 2015-05-07 14:03:32.044815106 -0700 @@ -538,6 +538,7 @@ work = (uschar *)malloc(line_len); if (work == NULL) { (void)string_format(info, 1024,"unable to allocate %lu bytes",line_len); + free(data); /* fix possible memory leak here? */ return -2; }; @@ -952,9 +953,20 @@ else { struct file_extension *this_extension = (struct file_extension *)malloc(sizeof(file_extension)); + if (*this_extension == NULL) { + (void)string_format(info, 1024,"unable to allocate %u bytes",sizeof(file_extension)); + free(line); + return DEFER; + } this_extension->file_extension_string = (uschar *)malloc(Ustrlen(mime_part_p.extension)+1); + if (this->extension->file_extension_string == NULL) { + (void)string_format(info, 1024,"unable to allocate %u bytes",Ustrlen(meme_part_p.extension)+1); + free(this_extension); /* free prev allocated memory */ + free(line); + return DEFER; + } Ustrcpy(this_extension->file_extension_string, mime_part_p.extension+1); this_extension->next = file_extensions; @@ -973,6 +985,13 @@ } else { thisboundary = (struct boundary*)malloc(sizeof(boundary)); + if (thisboundary == NULL) { + (void)string_format(info, 1024,"unable to allocate %u bytes",sizeof(boundary)); + free(this_extension->file_extension_string); + free(this_extension); + free(line); + return DEFER; + } thisboundary->next = boundaries; thisboundary->boundary_string = value; boundaries = thisboundary; @@ -1026,9 +1045,19 @@ else { struct file_extension *this_extension = (struct file_extension *)malloc(sizeof(file_extension)); - + if (*this_extension == NULL) { + (void)string_format(info, 1024,"unable to allocate %u bytes",sizeof(file_extension)); + free(line); + return DEFER; + } this_extension->file_extension_string = (uschar *)malloc(Ustrlen(mime_part_p.extension)+1); + if (this_extension->file_extension_string == NULL) { + (void)string_format(info, 1024,"unable to allocate %u bytes",Ustrlen(mime_part_p.extension)+1); + free(this_extension); + free(line); + return DEFER; + } Ustrcpy(this_extension->file_extension_string, mime_part_p.extension+1); this_extension->next = file_extensions; -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##