On Sat, Feb 10, 2007 at 10:32:24PM -0800, Ken Brush wrote:
> Ok, I've attached a patch that fixes this bug.
I've adjust this to check for the NULL deref just before the header data
free call:
Index: mutt-1.5.13/imap/imap.c
===================================================================
--- mutt-1.5.13.orig/imap/imap.c 2007-02-11 10:07:01.000000000 -0800
+++ mutt-1.5.13/imap/imap.c 2007-02-11 10:12:38.000000000 -0800
@@ -1300,7 +1300,8 @@
/* free IMAP part of headers */
for (i = 0; i < ctx->msgcount; i++)
- imap_free_header_data (&(ctx->hdrs[i]->data));
+ if (ctx->hdrs[i])
+ imap_free_header_data (&(ctx->hdrs[i]->data));
for (i = 0; i < IMAP_CACHE_LEN; i++)
{
Index: mutt-1.5.13/thread.c
===================================================================
--- mutt-1.5.13.orig/thread.c 2007-02-11 10:11:33.000000000 -0800
+++ mutt-1.5.13/thread.c 2007-02-11 10:12:01.000000000 -0800
@@ -555,8 +555,11 @@
for (i = 0; i < ctx->msgcount; i++)
{
- ctx->hdrs[i]->thread = NULL;
- ctx->hdrs[i]->threaded = 0;
+ if (ctx->hdrs[i])
+ {
+ ctx->hdrs[i]->thread = NULL;
+ ctx->hdrs[i]->threaded = 0;
+ }
}
ctx->tree = NULL;
--
Kees Cook @outflux.net
