#3525: thread.c:432 Mutt crashes with segmentation fault
--------------------+-------------------------------------------------------
Reporter: hhorak | Owner: me
Type: defect | Status: accepted
Priority: major | Milestone: 1.6
Component: mutt | Version: 1.5.20
Keywords: |
--------------------+-------------------------------------------------------
Comment(by hhorak):
Stanislaw Gruszka spent some time by investigating and it seems he found
the problem. This is his patch with some justification (copy&paste from
https://bugzilla.redhat.com/show_bug.cgi?id=674271):
{{{
From [email protected] Sun Oct 2 20:40:08 2011
Date: Sun, 2 Oct 2011 20:40:08 +0200
From: Stanislaw Gruszka <[email protected]>
To: [email protected]
Subject: [PATCH] pop: fix segmentation fault in find_subjects()
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21+46 (b01d63af6fea) (2011-07-01)
Status: RO
Content-Length: 2033
Lines: 44
Patch fix segmentation fault during messages removal in thread mode:
Core was generated by `mutt -d 3 -f pops://[email protected]'.
Program terminated with signal 11, Segmentation fault.
#0 0x080bac5c in find_subject (ctx=0x96fcae8, init=<value optimized out>)
at thread.c:433
433 !tmp->fake_thread && /* don't match pseudo
threads */
(gdb) bt
#0 0x080bac5c in find_subject (ctx=0x96fcae8, init=<value optimized out>)
at thread.c:433
#1 pseudo_threads (ctx=0x96fcae8, init=<value optimized out>) at
thread.c:503
#2 mutt_sort_threads (ctx=0x96fcae8, init=<value optimized out>) at
thread.c:960
#3 0x080b8105 in mutt_sort_headers (ctx=0x96fcae8, init=<value optimized
out>) at sort.c:297
#4 0x0808fe77 in mx_sync_mailbox (ctx=0x96fcae8, index_hint=0xbff7b680)
at mx.c:1182
#5 0x080667b1 in mutt_index_menu () at curs_main.c:1034
#6 0x08083e3f in main (argc=1, argv=0xbff7c7e4) at main.c:1020
This problem happens because of replacing hdr->env in pop code, which
make ptr->key in subj_hash point to invalid address. If after that we
remove message (see mx_update_tables()), hash_delete will fail to
remove entry, but hdr is freed, making subj_hash ptr->data point to
freed memory. In consequence we crash dereferencing ptr->data when
iterating on subj_hash in find_subject().
Not sure if that is the best possible fix, i.e. if we could avoid
replacing hdr->env, but it make crash gone.
diff -r b01d63af6fea pop.c
--- a/pop.c Wed Jul 13 11:05:37 2011 -0500
+++ b/pop.c Sun Oct 02 20:01:40 2011 +0200
@@ -618,8 +618,15 @@
}
rewind (msg->fp);
uidl = h->data;
+
+ /* we replace envelop, key in subj_hash has to be updated as well */
+ if (ctx->subj_hash && h->env->real_subj)
+ hash_delete (ctx->subj_hash, h->env->real_subj, h, NULL);
mutt_free_envelope (&h->env);
h->env = mutt_read_rfc822_header (msg->fp, h, 0, 0);
+ if (ctx->subj_hash && h->env->real_subj)
+ hash_insert (ctx->subj_hash, h->env->real_subj, h, 1);
+
h->data = uidl;
h->lines = 0;
fgets (buf, sizeof (buf), msg->fp);
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3525#comment:4>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
