contrib/neomutt/3090.patch

From 91444b047466d8c9e331447bb257ff6498de47a4 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <git@diabonas.de>
Date: Sat, 23 Oct 2021 14:31:17 +0200
Subject: [PATCH] Fix use after free of a->mailbox due to missing strdup

Commit 87ae932bcae3f229d681af9848015ba49049a581 ("Directly add full mailbox to
GPG search hints") changed crypt_add_string_to_hints(a->mailbox, &hints) to
mutt_list_insert_tail(&hints, a->mailbox). However, there is a behavioural
difference between the two functions: crypt_add_string_to_hints() adds a copy
of the string to the list, while mutt_list_insert_tail() does not. This leads
to a crash because the original a->mailbox is freed prematurely as part of the
hints list. Fix this by adding a copy of the original to the list instead.

Note that commit 87ae932bcae3f229d681af9848015ba49049a581 originally came from
Mutt. Upstream is not affected by this however because their mutt_add_list()
functions always copies the data.
---
 ncrypt/crypt_gpgme.c | 2 +-
 ncrypt/pgpkey.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ncrypt/crypt_gpgme.c b/ncrypt/crypt_gpgme.c
index 8cd70fd626..50c588a275 100644
--- a/ncrypt/crypt_gpgme.c
+++ b/ncrypt/crypt_gpgme.c
@@ -3581,7 +3581,7 @@ static struct CryptKeyInfo *crypt_getkeybyaddr(struct Address *a,
   *forced_valid = 0;
 
   if (a && a->mailbox)
-    mutt_list_insert_tail(&hints, a->mailbox);
+    mutt_list_insert_tail(&hints, mutt_str_dup(a->mailbox));
   if (a && a->personal)
     crypt_add_string_to_hints(a->personal, &hints);
 
diff --git a/ncrypt/pgpkey.c b/ncrypt/pgpkey.c
index 665f9afe41..45ceb8b8ad 100644
--- a/ncrypt/pgpkey.c
+++ b/ncrypt/pgpkey.c
@@ -369,7 +369,7 @@ struct PgpKeyInfo *pgp_getkeybyaddr(struct Address *a, KeyFlags abilities,
   struct PgpUid *q = NULL;
 
   if (a->mailbox)
-    mutt_list_insert_tail(&hints, a->mailbox);
+    mutt_list_insert_tail(&hints, mutt_str_dup(a->mailbox));
   if (a->personal)
     pgp_add_string_to_hints(a->personal, &hints);