Fix potential memory leak in rfc2047_encode. (closes #3825)

If convert_string() has nonreversible characters, the allocated output
buffer would be overwritten (and not freed) in rfc2047_encode().

Thanks to Richard Russon for the bug report and initial patch, and to
TAKAHASHI Tamotsu for the analysis and revised fix suggestion.

diff --git a/rfc2047.c b/rfc2047.c
index 663b55b88f01cd49f9662e61f723c0da6f6ea4b6..aa02422773c82beaf01470830c2a93b5e37dab0c 100644 (file)
--- a/rfc2047.c
+++ b/rfc2047.c
@@ -410,7 +410,7 @@ static int rfc2047_encode (ICONV_CONST char *d, size_t dlen, int col,
   int ret = 0;
   char *buf;
   size_t bufpos, buflen;
-  char *u, *t0, *t1, *t;
+  char *u = NULL, *t0, *t1, *t;
   char *s0, *s1;
   size_t ulen, r, n, wlen;
   encoder_t encoder;
@@ -423,7 +423,7 @@ static int rfc2047_encode (ICONV_CONST char *d, size_t dlen, int col,
   {
     ret = 1; 
     icode = 0;
-    u = safe_malloc ((ulen = dlen) + 1);
+    safe_realloc (&u, (ulen = dlen) + 1);
     memcpy (u, d, dlen);
     u[ulen] = 0;
   }