From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Thu, 18 May 2017 16:40:04 +0000 (+0300)
Subject: lib-imap: imap_parser_unref() should always set parser=NULL
X-Git-Tag: 2.3.0.rc1~1605
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e47584d767f86848212ad5089549d3bb01885ca;p=thirdparty%2Fdovecot%2Fcore.git

lib-imap: imap_parser_unref() should always set parser=NULL

Not just when the last reference is cleared. This is how *_unref()s should
work everywhere in Dovecot. This fixes a bug in lib-imap-client where a
parser could have been accessed after it was already freed.
---

diff --git a/src/lib-imap/imap-parser.c b/src/lib-imap/imap-parser.c
index 0784278425..2b75a40017 100644
--- a/src/lib-imap/imap-parser.c
+++ b/src/lib-imap/imap-parser.c
@@ -93,16 +93,18 @@ void imap_parser_ref(struct imap_parser *parser)
 	parser->refcount++;
 }
 
-void imap_parser_unref(struct imap_parser **parser)
+void imap_parser_unref(struct imap_parser **_parser)
 {
-	i_assert((*parser)->refcount > 0);
+	struct imap_parser *parser = *_parser;
 
-	if (--(*parser)->refcount > 0)
+	*_parser = NULL;
+
+	i_assert(parser->refcount > 0);
+	if (--parser->refcount > 0)
 		return;
 
-	pool_unref(&(*parser)->pool);
-	i_free(*parser);
-	*parser = NULL;
+	pool_unref(&parser->pool);
+	i_free(parser);
 }
 
 void imap_parser_enable_literal_minus(struct imap_parser *parser)