[Nmh-workers] Fix for a mhshow double free crash

From: Josh Bressers
Subject: [Nmh-workers] Fix for a mhshow double free crash
Date: Thu, 03 Nov 2005 14:51:10 -0500

I received a bug report today regarding a double free error in mhshow:

When you try to display a multipart message with mhshow where one of the
sections has an empty Content-Type, mhshow will try to close a file stream

What's happening is that in the InitMultiPart() function, the file stream
is being passed to the get_content() function, which when it encounters an
error, closes the filestream and return NULL.  The InitMultiPart() function
will also try to close the filestream if get_content returns NULL.

The patch is trivial:

Index: uip/mhparse.c
RCS file: /cvsroot/nmh/nmh/uip/mhparse.c,v
retrieving revision 1.11
diff -a -u -r1.11 mhparse.c
--- uip/mhparse.c       30 Sep 2003 16:58:43 -0000      1.11
+++ uip/mhparse.c       3 Nov 2005 19:45:45 -0000
@@ -1056,7 +1056,6 @@
            if (!(p = get_content (fp, ct->c_file,
                        ct->c_subtype == MULTI_DIGEST ? -1 : 0))) {
-               fclose (ct->c_fp);
                ct->c_fp = NULL;
                return NOTOK;

There is a reproducer at the above URL.


