tag 553321 +confirmed pending forwarded 553321 http://bugs.mutt.org/3371 thanks
On Wed, Jan 13, 2010 at 03:08:01AM -0500, James Vega wrote: > It looks like this is a weird interaction between the terminal size, > mutt, and 1 line from the build log. This only happens when running > mutt in a terminal that's certain dimensions, since that's what determines > where mutt tries to break up the line. I've attached a minimal mbox that will > demonstrate the scenario. > > Run “xterm -geom 99x34” to get the correct size terminal. Then run mutt as > “mutt -F /dev/null -f crash.mbox” and open the mail. Hi James, thanks for your correspondence, through that I was able to reproduce the bug today; I've written a patch for this, the problem was a buffer overrun in fill_buffer(); the patch is attached. The bug and the patch were forwarded upstream and also pushed to our internal git repo, so that the fix will be pushed with the next Debian release of mutt. Sorry for the late action but I was really busy in the end of last year. Cheers Antonio
This patch prevents mutt from crashing when *buf is freed, the root cause is the fact that an adjacent memory segment (*fmt) overruns and overwrite prev_size field in the heap. The bug and the patch were forwarded upstream, see http://bugs.mutt.org/3371 --- a/pager.c +++ b/pager.c @@ -1028,7 +1028,7 @@ q = *fmt; while (*p) { - if (*p == '\010' && (p > *buf)) + if (*p == '\010' && (p > *buf) && (q > *fmt)) { if (*(p+1) == '_') /* underline */ p += 2;
