From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 3 Feb 2026 11:37:36 +0000 (+0200)
Subject: lib-oauth2: Fix potential crash or bad handling of JWT array values
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b59b7d50f074c037800c285d0f9431217904f390;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Fix potential crash or bad handling of JWT array values

If the JWT had an array larger than 8 (fields array's initial size),
the code may have crashed or dropped some of the values in the array.
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 8ccff8ca14..afceda0a86 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -396,7 +396,7 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields,
 				else
 					root->prefix = t_strconcat(jnode->name, "_", NULL);
 			} else {
-				struct oauth2_field *field;
+				struct oauth2_field *field = NULL, *field_iter;
 				const char *name;
 
 				if (subroot->array) {
@@ -405,11 +405,13 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields,
 						name = t_strdup_until(subroot->prefix, name);
 					else
 						name = subroot->prefix;
-					array_foreach_modifiable(fields, field) {
-						if (strcmp(field->name, name) == 0)
+					array_foreach_modifiable(fields, field_iter) {
+						if (strcmp(field_iter->name, name) == 0) {
+							field = field_iter;
 							break;
+						}
 					}
-					if (field == NULL || field->name == NULL) {
+					if (field == NULL) {
 						field = array_append_space(fields);
 						field->name = p_strdup(pool, name);
 					}