From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 9 Apr 2016 01:38:27 +0000 (-0700)
Subject: Fix potential memory leak in rfc2047_encode.  (closes #3825)
X-Git-Tag: neomutt-20160822~181
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cc588fbf5d071a0380b06cb868d8bf3428bd731c;p=neomutt

Fix potential memory leak in rfc2047_encode.  (closes #3825)

If convert_string() has nonreversible characters, the allocated output
buffer would be overwritten (and not freed) in rfc2047_encode().

Thanks to Richard Russon for the bug report and initial patch, and to
TAKAHASHI Tamotsu for the analysis and revised fix suggestion.
---

diff --git a/rfc2047.c b/rfc2047.c
index 663b55b88..aa0242277 100644
--- a/rfc2047.c
+++ b/rfc2047.c
@@ -410,7 +410,7 @@ static int rfc2047_encode (ICONV_CONST char *d, size_t dlen, int col,
   int ret = 0;
   char *buf;
   size_t bufpos, buflen;
-  char *u, *t0, *t1, *t;
+  char *u = NULL, *t0, *t1, *t;
   char *s0, *s1;
   size_t ulen, r, n, wlen;
   encoder_t encoder;
@@ -423,7 +423,7 @@ static int rfc2047_encode (ICONV_CONST char *d, size_t dlen, int col,
   {
     ret = 1; 
     icode = 0;
-    u = safe_malloc ((ulen = dlen) + 1);
+    safe_realloc (&u, (ulen = dlen) + 1);
     memcpy (u, d, dlen);
     u[ulen] = 0;
   }