#3530: Crash on search in IMAP(S) mailbox
----------------------+-----------------------------------------------------
Reporter: barsnick | Owner: brendan
Type: defect | Status: new
Priority: major | Milestone:
Component: IMAP | Version: 1.5.21
Keywords: |
----------------------+-----------------------------------------------------
Comment(by barsnick):
{{{
Without digging too deep, a little debug on the second crash brought be
here:
{{{
(gdb) up 6
#7 0x0805efa5 in mutt_copy_hdr (in=0x819cf60, out=0x8193b28,
# off_start=0, off_end=491, flags=20, prefix=0x0) at copy.c:310
310 FREE (&headers[x]);
(gdb) l
305 }
306
307 /* Free in a separate loop to be sure that all headers are
freed
308 * in case of error. */
309 for (x = 0; x < hdr_count; x++)
310 FREE (&headers[x]);
311 FREE (&headers);
312
313 if (error)
314 return (-1);
(gdb) p x
$9 = 1
(gdb) p hdr_count
$10 = 1
}}}
If hdr_count is 1, how can x ever be assigned 1 in the loop?
(headers[1] is indeed a NULL pointer, which is then attempted to free.)
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3530#comment:>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
