Telebot crashes when freeing updates object if one of the messages was a forward from a chat.
I traced the problem to line 488 in telebot-parser.c, which seems to be a mistake when copy pasting similar code.
|
struct json_object *forward_from_chat = NULL; |
|
if (json_object_object_get_ex(obj, "forward_from_chat", &forward_from_chat)) |
|
{ |
|
msg->forward_from = malloc(sizeof(telebot_user_t)); |
|
if (telebot_parser_get_chat(forward_from_chat, msg->forward_from_chat) != TELEBOT_ERROR_NONE) |
|
{ |
|
ERR("Failed to get <forward from> from message object"); |
|
TELEBOT_SAFE_FREE(msg->forward_from_chat); |
|
} |
|
} |
It ought to be
msg->forward_from_chat = malloc(sizeof(telebot_chat_t));.
This causes a bug in which msg->forward_from is overwritten with a pointer to uninitialized memory. This causes issues during freeing, as telebot_put_user sees non-null pointers and tries to free them. This causes memory corruption and an eventual crash.
Telebot crashes when freeing updates object if one of the messages was a forward from a chat.
I traced the problem to line 488 in telebot-parser.c, which seems to be a mistake when copy pasting similar code.
telebot/src/telebot-parser.c
Lines 485 to 494 in c74d78d
It ought to be
msg->forward_from_chat = malloc(sizeof(telebot_chat_t));.This causes a bug in which
msg->forward_fromis overwritten with a pointer to uninitialized memory. This causes issues during freeing, astelebot_put_usersees non-null pointers and tries to free them. This causes memory corruption and an eventual crash.