From 047b02bbcdd761f1485be317be40f2cd569fa2d4 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Thu, 25 Apr 2024 15:09:59 +0100
Subject: [PATCH 1/2] Fix messagepack EXT parsing

When we read `ext` we actually do not get any object, so we MUST NOT
insert `parser->cur_obj` multiple times, as we will have use-after-free
on unref. This is a serious bug.

Issue: #303
Closes: #303
---
 src/ucl_msgpack.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/ucl_msgpack.c b/src/ucl_msgpack.c
index 3335e39c..edf3bc59 100644
--- a/src/ucl_msgpack.c
+++ b/src/ucl_msgpack.c
@@ -1146,9 +1146,14 @@ ucl_msgpack_consume (struct ucl_parser *parser)
 
 
 			/* Insert value to the container and check if we have finished array */
-			if (!ucl_msgpack_insert_object (parser, NULL, 0,
+			if (parser->cur_obj) {
+				if (!ucl_msgpack_insert_object(parser, NULL, 0,
 					parser->cur_obj)) {
-				return false;
+					return false;
+				}
+			}
+			else {
+				/* We have parsed ext, ignore it */
 			}
 
 			if (ucl_msgpack_is_container_finished (container)) {
@@ -1634,5 +1639,7 @@ ucl_msgpack_parse_ignore (struct ucl_parser *parser,
 		return -1;
 	}
 
+	parser->cur_obj = NULL;
+
 	return len;
 }

From 1e409aeeefb12c472aefe66c2ced194687f9c28c Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Thu, 25 Apr 2024 15:13:22 +0100
Subject: [PATCH 2/2] Apply the same fix in other places of the parser

---
 src/ucl_msgpack.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/ucl_msgpack.c b/src/ucl_msgpack.c
index edf3bc59..9190cc4c 100644
--- a/src/ucl_msgpack.c
+++ b/src/ucl_msgpack.c
@@ -1212,10 +1212,12 @@ ucl_msgpack_consume (struct ucl_parser *parser)
 
 			assert (key != NULL && keylen > 0);
 
-			if (!ucl_msgpack_insert_object (parser, key, keylen,
+			if (parser->cur_obj) {
+				if (!ucl_msgpack_insert_object(parser, key, keylen,
 					parser->cur_obj)) {
 
-				return false;
+					return false;
+				}
 			}
 
 			key = NULL;
@@ -1304,9 +1306,11 @@ ucl_msgpack_consume (struct ucl_parser *parser)
 
 
 		/* Insert value to the container and check if we have finished array */
-		if (!ucl_msgpack_insert_object (parser, NULL, 0,
+		if (parser->cur_obj) {
+			if (!ucl_msgpack_insert_object(parser, NULL, 0,
 				parser->cur_obj)) {
-			return false;
+				return false;
+			}
 		}
 		break;
 	case finish_array_value: