From 0623bf8e8f04ed8217628f54787555e2eefa54e7 Mon Sep 17 00:00:00 2001
From: InterLinked1 <24227567+InterLinked1@users.noreply.github.com>
Date: Mon, 16 Dec 2024 07:38:27 -0500
Subject: [PATCH] mod_webmail: Fix crash caused by passing NULL to
 mailimap_fetch_type_free.

Fix potential crash when sort/filter is active and no messages are
matched, in which case fetch_type is never set to begin with.
Accordingly, guard all calls to mailimap_fetch_type_free with
a NULL check.
---
 modules/mod_webmail.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/mod_webmail.c b/modules/mod_webmail.c
index a551516..fd25c0c 100644
--- a/modules/mod_webmail.c
+++ b/modules/mod_webmail.c
@@ -2016,6 +2016,7 @@ static int fetchlist(struct ws_session *ws, struct imap_client *client, const ch
 	/* In the case of a filter, there might not be anything */
 	if (added) {
 		fetch_type = mailimap_fetch_type_new_fetch_att_list_empty();
+		bbs_assert_exists(fetch_type);
 
 		/* UID */
 		fetch_att = mailimap_fetch_att_new_uid();
@@ -2072,18 +2073,22 @@ static int fetchlist(struct ws_session *ws, struct imap_client *client, const ch
 		if (MAILIMAP_ERROR(res)) {
 			bbs_warning("FETCH failed: %s\n", maildriver_strerror(res));
 			/* fetch_result and everything that went into it is already freed */
-			mailimap_fetch_type_free(fetch_type);
+			if (fetch_type) {
+				mailimap_fetch_type_free(fetch_type);
+			}
 			mailimap_set_free(set);
 			return -1;
 		}
-	}
+	} /* else, fetch_type can be NULL here, since we didn't add anything. This can happen with a filter that doesn't match anything. Paths below thus check for it being NULL. */
 
 	root = json_object();
 	if (!root) {
 		if (fetch_result) {
 			mailimap_fetch_list_free(fetch_result);
 		}
-		mailimap_fetch_type_free(fetch_type);
+		if (fetch_type) { /* This can be NULL here... */
+			mailimap_fetch_type_free(fetch_type);
+		}
 		mailimap_set_free(set);
 		return -1;
 	}
@@ -2105,7 +2110,9 @@ static int fetchlist(struct ws_session *ws, struct imap_client *client, const ch
 
 	if (!added) {
 		/* If we filtered, there might not be any results */
-		mailimap_fetch_type_free(fetch_type);
+		if (fetch_type) { /* This can be NULL here... */
+			mailimap_fetch_type_free(fetch_type);
+		}
 		goto finalize;
 	}