IMAP: fix use-after free in ChangeItemTask

The attribute pointer lives only as long as the owning Collection lives. Since the code here was taking the attribute from a temporary object, the uidNext() getter called below would return a garbage number.

IMAP: fix use-after free in ChangeItemTask
The attribute pointer lives only as long as the owning Collection lives. Since the code here was taking the attribute from a temporary object, the uidNext() getter called below would return a garbage number.
cde208e6 · Daniel Vrátil · 2ef90f7d · cde208e6
Verified Commit cde208e6 authored Apr 18, 2020 by Daniel Vrátil 🤖
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

resources/imap/changeitemtask.cpp resources/imap/changeitemtask.cpp +2 -1

No files found.
--- a/resources/imap/changeitemtask.cpp
+++ b/resources/imap/changeitemtask.cpp
@@ -189,7 +189,8 @@ void ChangeItemTask::triggerSearchJob()
    if (!m_messageId.isEmpty()) {
        search->setTerm(KIMAP::Term(QStringLiteral("Message-ID"), QString::fromLatin1(m_messageId)));
    } else {
-        UidNextAttribute *uidNext = item().parentCollection().attribute<UidNextAttribute>();
+        const auto parent = item().parentCollection();
+        const UidNextAttribute *uidNext = parent.attribute<UidNextAttribute>();
        if (!uidNext) {
            qCWarning(IMAPRESOURCE_LOG) << "Failed to determine new uid.";
            cancelTask(i18n("Could not determine the UID for the newly created message on the server"));