From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 17 Aug 2021 13:23:31 +0000 (+0200)
Subject: lib: istreams - Make sure freeing snapshots can't access freed parent istream memory
X-Git-Tag: 2.3.17~180
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e34bffaab5fa51cab652e41c894719c06875fe33;p=thirdparty%2Fdovecot%2Fcore.git

lib: istreams - Make sure freeing snapshots can't access freed parent istream memory

This happened after the recent istream-header-filter snapshot changes.
---

diff --git a/src/lib/istream.c b/src/lib/istream.c
index 7c79e7dcf3..1f2728ff28 100644
--- a/src/lib/istream.c
+++ b/src/lib/istream.c
@@ -57,9 +57,17 @@ void i_stream_unref(struct istream **stream)
 
 	_stream = (*stream)->real_stream;
 
-	if (!io_stream_unref(&_stream->iostream)) {
-		str_free(&_stream->line_str);
+	if (_stream->iostream.refcount > 1) {
+		if (!io_stream_unref(&_stream->iostream))
+			i_unreached();
+	} else {
+		/* The snapshot may contain pointers to the parent istreams.
+		   Free it before io_stream_unref() frees the parents. */
 		i_stream_snapshot_free(&_stream->prev_snapshot);
+
+		if (io_stream_unref(&_stream->iostream))
+			i_unreached();
+		str_free(&_stream->line_str);
 		i_stream_unref(&_stream->parent);
 		io_stream_free(&_stream->iostream);
 	}