From 5431d789f6a736924230ff3e51c14e0db441bdb6 Mon Sep 17 00:00:00 2001
From: Eduardo Chappa <chappa@washington.edu>
Date: Sat, 28 Aug 2021 00:41:09 -0600
Subject:  * Fix of more memory leaks and a crash due to incorrect freeing of
 memory, introduced    in commit 8961761e0b3c7b3cc11a00f6ac6ebf7a29bc5a10

---
 alpine/alpine.c                |  2 --
 alpine/imap.c                  |  3 ++-
 alpine/xoauth2info.c           | 13 -------------
 alpine/xoauth2info.h           | 20 --------------------
 imap/src/c-client/auth_oa2.c   | 13 +++++--------
 imap/src/c-client/oauth2_aux.c | 26 ++++++++++++++++++--------
 pith/pine.hlp                  |  2 +-
 7 files changed, 26 insertions(+), 53 deletions(-)
 delete mode 100644 alpine/xoauth2info.h

diff --git a/alpine/alpine.c b/alpine/alpine.c
index 8ef14d01..545406bf 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -64,7 +64,6 @@ static char rcsid[] = "$Id: alpine.c 1266 2009-07-14 18:39:12Z hubert@u.washingt
 #include "after.h"
 #include "smime.h"
 #include "newmail.h"
-#include "xoauth2info.h"
 #ifndef _WINDOWS
 #include "../pico/osdep/raw.h"	/* for STD*_FD */
 #endif
@@ -3408,7 +3407,6 @@ goodnight_gracey(struct pine *pine_state, int exit_val)
     free_pith_module_globals();
     free_pico_module_globals();
     free_c_client_module_globals();
-    xoauth_free_info();
 
 #ifdef DEBUG
     if(debugfile){
diff --git a/alpine/imap.c b/alpine/imap.c
index f8f2133c..b4505b5d 100644
--- a/alpine/imap.c
+++ b/alpine/imap.c
@@ -1046,6 +1046,7 @@ mm_login_oauth2(NETMBX *mb, char *user, char *method,
 	&& (NewAccessToken == NULL || strcmp(OldAccessToken, NewAccessToken))){
 	if(NewAccessToken) fs_give((void **) &NewAccessToken);
 	NewAccessToken = cpystr(OldAccessToken);
+	NewAccessToken = OldAccessToken;
 	ChangeAccessToken++;
 	NewExpirationTime = OldExpirationTime;
 	SaveRefreshToken = NewRefreshToken;
@@ -1099,7 +1100,7 @@ mm_login_oauth2(NETMBX *mb, char *user, char *method,
 			(preserve_password == -1 ? 0
 			 : (preserve_password == 0 ? 2 :1)), OA2NAME);
 #endif	/* LOCAL_PASSWD_CACHE */
-
+    if (token) fs_give((void **) &token);
     ps_global->no_newmail_check_from_optionally_enter = 0;
 }
 
diff --git a/alpine/xoauth2info.c b/alpine/xoauth2info.c
index 6862dd33..8a518f47 100644
--- a/alpine/xoauth2info.c
+++ b/alpine/xoauth2info.c
@@ -223,16 +223,3 @@ OAUTH2_S alpine_oauth2_list[] = {
    0					/* flags */
   }
 };
-
-
-void
-xoauth_free_info(void)
-{
-  int i;
-  for(i = 0; alpine_oauth2_list[i].name != NULL ; i++){
-     if(alpine_oauth2_list[i].param[OA2_RefreshToken].value)
-	fs_give((void **) &alpine_oauth2_list[i].param[OA2_RefreshToken].value);
-     if(alpine_oauth2_list[i].access_token)
-	fs_give((void **) &alpine_oauth2_list[i].access_token);
-  }
-}
diff --git a/alpine/xoauth2info.h b/alpine/xoauth2info.h
deleted file mode 100644
index c033d949..00000000
--- a/alpine/xoauth2info.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * ========================================================================
- * Copyright 2013-2021 Eduardo Chappa
- * Copyright 2006-2009 University of Washington
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * ========================================================================
- */
-
-#ifndef XOAUTH2INFO_INCLUDED
-#define XOAUTH2INFO_INCLUDED
-
-void xoauth_free_info(void);
-
-#endif /* XOAUTH2INFO_INCLUDED */
diff --git a/imap/src/c-client/auth_oa2.c b/imap/src/c-client/auth_oa2.c
index 2f52c4f2..9081a1e3 100644
--- a/imap/src/c-client/auth_oa2.c
+++ b/imap/src/c-client/auth_oa2.c
@@ -25,7 +25,9 @@ AUTHENTICATOR auth_oa2 = {
 };
 
 #define OAUTH2_USER	"user="
+#define OAUTH2_USER_LEN  (5)	/* strlen(OAUTH2_USER) */
 #define OAUTH2_BEARER	"auth=Bearer "
+#define OAUTH2_BEARER_LEN  (12)	/* strlen(OAUTH2_BEARER) */
 
 /* Client authenticator
  * Accepts: challenger function
@@ -142,8 +144,8 @@ long auth_oauth2_client (authchallenge_t challenger,authrespond_t responder, cha
       ret = base ? NIL : LONGT;		/* will get a BAD response back */
     }
     else {
-      unsigned long rlen = strlen(OAUTH2_USER) + strlen(user)
-			+ strlen(OAUTH2_BEARER) + strlen(oauth2.access_token) + 1 + 2;
+      unsigned long rlen = OAUTH2_USER_LEN + OAUTH2_BEARER_LEN + 2
+			   + strlen(user) + strlen(oauth2.access_token) + 1;
       char *response = (char *) fs_get (rlen + 1);
       sprintf(response, "%s%s\001%s%s\001\001", OAUTH2_USER, user, OAUTH2_BEARER, oauth2.access_token);
       if ((*responder) (stream,base,response,rlen)) {
@@ -157,13 +159,8 @@ long auth_oauth2_client (authchallenge_t challenger,authrespond_t responder, cha
 	   * Refresh Token has expired somehow, we invalidate it if we
 	   * reach *trial to 3. This forces the process to restart later on.
 	   */
-	  if(*trial == 3){
-	     if(oauth2.param[OA2_State].value)
-		fs_give((void **) &oauth2.param[OA2_State].value);
-	     fs_give((void **) &oauth2.param[OA2_RefreshToken].value);
-	     fs_give((void **) &oauth2.access_token);
+	  if(*trial == 3)
 	     oauth2.expiration = 0L;
-	  }
 	}
       }
       fs_give ((void **) &response);
diff --git a/imap/src/c-client/oauth2_aux.c b/imap/src/c-client/oauth2_aux.c
index 5af94992..d2ad6ce6 100644
--- a/imap/src/c-client/oauth2_aux.c
+++ b/imap/src/c-client/oauth2_aux.c
@@ -143,6 +143,7 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
      if(ogci && (x = (*ogci)(oauth2->name, user)) != NULL){
 	 oauth2->param[OA2_Id].value = cpystr(x->client_id);
 	 oauth2->param[OA2_Secret].value = x->client_secret ? cpystr(x->client_secret) : NULL;
+	 if(oauth2->param[OA2_Tenant].value) fs_give((void **) &oauth2->param[OA2_Tenant].value);
 	 oauth2->param[OA2_Tenant].value = x->tenant ? cpystr(x->tenant) : NULL;
 	 free_xoauth2_info(&x);
      }
@@ -207,7 +208,9 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
 	   case HTTP_UNAUTHORIZED:
 			mm_log("Client not authorized (wrong client-id?)", ERROR);
 			break;
-	   case HTTP_OK: json_assign ((void **) &oauth2->access_token, json, "access_token", JString);
+	   case HTTP_OK: if(oauth2->access_token)
+			    fs_give((void **) &oauth2->access_token);
+			 json_assign ((void **) &oauth2->access_token, json, "access_token", JString);
 			 if((jx = json_body_value(json, "expires_in")) != NULL)
 			 switch(jx->jtype){
 			      case JString: oauth2->expiration = time(0) + atol((char *) jx->value);
@@ -266,7 +269,11 @@ mm_login_oauth2_c_client_method (NETMBX *mb, char *user, char *method,
 	   JSON_S *jx;
 
 	  switch(status){
-	     case HTTP_OK : json_assign ((void **) &oauth2->param[OA2_RefreshToken].value, json, "refresh_token", JString);
+	     case HTTP_OK : if(oauth2->param[OA2_RefreshToken].value)
+			       fs_give((void **) &oauth2->param[OA2_RefreshToken].value);
+			    json_assign ((void **) &oauth2->param[OA2_RefreshToken].value, json, "refresh_token", JString);
+			    if(oauth2->access_token)
+			       fs_give((void **) &oauth2->access_token);
 			    json_assign ((void **) &oauth2->access_token, json, "access_token", JString);
 
 			    if((jx = json_body_value(json, "expires_in")) != NULL)
@@ -339,8 +346,12 @@ void oauth2deviceinfo_get_accesscode(void *inp, void *outp)
 
 			break;
 
-	case HTTP_OK :  json_assign ((void **) &oauth2->param[OA2_RefreshToken].value, json, "refresh_token", JString);
-			json_assign ((void **) &oauth2->access_token, json, "access_token", JString);
+	case HTTP_OK :   if(oauth2->param[OA2_RefreshToken].value)
+			   fs_give((void **) &oauth2->param[OA2_RefreshToken].value);
+			 json_assign ((void **) &oauth2->param[OA2_RefreshToken].value, json, "refresh_token", JString);
+			 if(oauth2->access_token)
+			       fs_give((void **) &oauth2->access_token);
+			 json_assign ((void **) &oauth2->access_token, json, "access_token", JString);
 
 			if((jx = json_body_value(json, "expires_in")) != NULL)
 			  switch(jx->jtype){
@@ -425,16 +436,15 @@ void renew_accesstoken(MAILSTREAM *stream)
     user[0] = '\0';
     mm_login_method (&mb, user, (void *) &oauth2, trial, stream->auth.name);
 
-    oauth2.param[OA2_State].value = NIL; /* this is freed before we get here */
+    if(oauth2.access_token)	/* we need a new one */
+      fs_give((void **) &oauth2.access_token);
 
     if(stream->auth.expiration == 0){
        stream->auth.expiration = oauth2.expiration;
+       if(oauth2.param[OA2_RefreshToken].value) fs_give((void **) &oauth2.param[OA2_RefreshToken].value);
        return;
     }
 
-    if(oauth2.access_token)
-      fs_give((void **) &oauth2.access_token);
-
     oauth2.param[OA2_State].value = oauth2_generate_state();
 
     mm_login_oauth2_c_client_method (&mb, user, stream->auth.name, &oauth2, trial, &tryanother);
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 4d79260b..714c5611 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 581 2021-08-23 22:42:05
+Alpine Commit 582 2021-08-28 00:40:42
 ============= h_news =================
 <HTML>
 <HEAD>
-- 
cgit v1.2.3-70-g09d2