From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 16 Nov 2023 09:04:35 +0000 (+0100)
Subject: duphandle: make dupset() not return with pointers to old alloced data
X-Git-Tag: curl-8_5_0~90
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=54a385e3fa1fe8892eda767f9d353e3977e62623;p=thirdparty%2Fcurl.git

duphandle: make dupset() not return with pointers to old alloced data

As the blob pointers are to be duplicated, the function must not return
mid-function with lingering pointers to the old handle's allocated data,
as that would lead to double-free in OOM situations.

Make sure to clear all destination pointers first to avoid this risk.

Closes #12337
---

diff --git a/lib/easy.c b/lib/easy.c
index cf254ee555..0db2d5d567 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -837,8 +837,10 @@ static CURLcode dupset(struct Curl_easy *dst, struct Curl_easy *src)
   dst->set = src->set;
   Curl_mime_initpart(&dst->set.mimepost);
 
-  /* clear all string pointers first */
+  /* clear all dest string and blob pointers first, in case we error out
+     mid-function */
   memset(dst->set.str, 0, STRING_LAST * sizeof(char *));
+  memset(dst->set.blobs, 0, BLOB_LAST * sizeof(struct curl_blob *));
 
   /* duplicate all strings */
   for(i = (enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {
@@ -847,8 +849,6 @@ static CURLcode dupset(struct Curl_easy *dst, struct Curl_easy *src)
       return result;
   }
 
-  /* clear all blob pointers first */
-  memset(dst->set.blobs, 0, BLOB_LAST * sizeof(struct curl_blob *));
   /* duplicate all blobs */
   for(j = (enum dupblob)0; j < BLOB_LAST; j++) {
     result = Curl_setblobopt(&dst->set.blobs[j], src->set.blobs[j]);