#3775: Heap-use-after-free when trying save mailbox changes after moving file
------------------------+---------------------
Reporter: Lekensteyn | Owner: brendan
Type: defect | Status: new
Priority: major | Milestone:
Component: IMAP | Version:
Keywords: crash |
------------------------+---------------------
Sometimes mutt crashes due to this heap-use-after-free issue. When it
happens, I usually did this:
- Select a mail in the messages list.
- Save a mail to =[Gmail]/All Mail
- Press `$`.
- Crash.
If it matters, the first action results in this message:
Mailbox was externally modified. Flags may be wrong.
I could not really reproduce it when literally following the above
approach, but it happens often enough that it starts becoming annoying. It
only happens with two GMail IMAP accounts, not with two other IMAP servers
(Dovecot and probably some MS mail server).
This happens with mutt a494c8f932fa35527792faa48cf098b39cbe39ea (1.5.24?),
built from source on Arch Linux with two unrelated patches:
- http://dev.mutt.org/trac/attachment/ticket/3733/reject-empty-hook-
patterns.patch
- Guard memcpy with if (savebuf) in enter.c to avoid undefined behavior
when copying zero bytes from NULL.
Attached is the ASAN report for this crash.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3775>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
