lib: istreams - Make sure freeing snapshots can't access freed parent istream memory

author Timo Sirainen <timo.sirainen@open-xchange.com>

Tue, 17 Aug 2021 13:23:31 +0000 (15:23 +0200)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Thu, 19 Aug 2021 11:24:49 +0000 (11:24 +0000)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Tue, 17 Aug 2021 13:23:31 +0000 (15:23 +0200)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Thu, 19 Aug 2021 11:24:49 +0000 (11:24 +0000)
diff --git a/src/lib/istream.c b/src/lib/istream.c

index 7c79e7dcf3e4c034c4003415ed0e342500ff0adc..1f2728ff28c1ea4dafb69efde60d026e535b7746 100644 (file)
--- a/src/lib/istream.c
+++ b/src/lib/istream.c
@@ -57,9 +57,17 @@ void i_stream_unref(struct istream **stream)
  
         _stream = (*stream)->real_stream;
  
-       if (!io_stream_unref(&_stream->iostream)) {
-               str_free(&_stream->line_str);
+       if (_stream->iostream.refcount > 1) {
+               if (!io_stream_unref(&_stream->iostream))
+                       i_unreached();
+       } else {
+               /* The snapshot may contain pointers to the parent istreams.
+                  Free it before io_stream_unref() frees the parents. */
                 i_stream_snapshot_free(&_stream->prev_snapshot);
+
+               if (io_stream_unref(&_stream->iostream))
+                       i_unreached();
+               str_free(&_stream->line_str);
                 i_stream_unref(&_stream->parent);
                 io_stream_free(&_stream->iostream);
         }
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Tue, 17 Aug 2021 13:23:31 +0000 (15:23 +0200)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Thu, 19 Aug 2021 11:24:49 +0000 (11:24 +0000)