From 390e92688d846182eadd433780042473f84a3eee Mon Sep 17 00:00:00 2001 From: rootvector2 Date: Thu, 28 May 2026 12:04:25 +0530 Subject: [PATCH 1/2] lib-oauth2: jwt - Avoid use-after-realloc of jwt_node front pointer oauth2_jwt_copy_fields() captures subroot from array_front(&nodes) then calls array_append_space(&nodes) inside the inner loop. When the append cannot extend the buffer in place it relocates it, so subroot aliases the previous slot and later subroot->prefix / subroot->array reads operate on the abandoned location. Refresh subroot after the append. --- src/lib-oauth2/oauth2-jwt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c index afceda0a863..7911158263a 100644 --- a/src/lib-oauth2/oauth2-jwt.c +++ b/src/lib-oauth2/oauth2-jwt.c @@ -387,6 +387,7 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields, if (!json_node_is_singular(jnode)) { root = array_append_space(&nodes); + subroot = array_front(&nodes); root->root = json_tree_node_get_child(tnode); root->array = json_node_is_array(jnode); if (jnode->name == NULL) From 761de0c7d239db0e0b4c9981a965d3b4cbd0ce18 Mon Sep 17 00:00:00 2001 From: rootvector2 Date: Sat, 30 May 2026 11:53:55 +0530 Subject: [PATCH 2/2] lib-oauth2: jwt - Avoid use-after-realloc of jwt_node front pointer --- src/lib-oauth2/oauth2-jwt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c index 7911158263a..df512783b22 100644 --- a/src/lib-oauth2/oauth2-jwt.c +++ b/src/lib-oauth2/oauth2-jwt.c @@ -387,6 +387,8 @@ oauth2_jwt_copy_fields(ARRAY_TYPE(oauth2_field) *fields, if (!json_node_is_singular(jnode)) { root = array_append_space(&nodes); + /* array_append_space() may have reallocated the + buffer, so refresh subroot to the new location. */ subroot = array_front(&nodes); root->root = json_tree_node_get_child(tnode); root->array = json_node_is_array(jnode);