[PATCH] gzerror() after gzclose_r() is a use after free
Olivier Taïbi
oli at olitb.net
Tue Apr 14 10:36:27 PDT 2020
As suggested by David Bremner in
https://notmuchmail.org/pipermail/notmuch/2020/029288.html
here is a separate patch for bug #2: calling gzerror() (indirectly via
gzerror_str()) after gzclose_r is a use after free, according to zlib's manual.
diff --git a/notmuch-restore.c b/notmuch-restore.c
index 9a8b7fb5..e2dc3d45 100644
--- a/notmuch-restore.c
+++ b/notmuch-restore.c
@@ -237,6 +237,7 @@ notmuch_restore_command (notmuch_config_t *config, int argc, char *argv[])
int opt_index;
int include = 0;
int input_format = DUMP_FORMAT_AUTO;
+ int errnum;
if (notmuch_database_open (notmuch_config_get_database_path (config),
NOTMUCH_DATABASE_MODE_READ_WRITE, ¬much))
@@ -448,10 +449,13 @@ notmuch_restore_command (notmuch_config_t *config, int argc, char *argv[])
if (notmuch)
notmuch_database_destroy (notmuch);
- if (input && gzclose_r (input)) {
- fprintf (stderr, "Error closing %s: %s\n",
- name_for_error, gzerror_str (input));
- ret = EXIT_FAILURE;
+ if (input) {
+ errnum = gzclose_r (input);
+ if (errnum) {
+ fprintf (stderr, "Error closing %s: %d\n",
+ name_for_error, errnum);
+ ret = EXIT_FAILURE;
+ }
}
return ret ? EXIT_FAILURE : EXIT_SUCCESS;
More information about the notmuch
mailing list