I've uploaded this to the ticket, but wanted to mail it to the list too in case anyone has comments.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA http://www.8t8.us/configs/gpg-key-transition-statement.txt
# HG changeset patch # User Kevin McCarthy <[email protected]> # Date 1441401032 25200 # Fri Sep 04 14:10:32 2015 -0700 # Branch stable # Node ID e1ee3749f449c990cacde41cbed7e2b358977cfa # Parent f675e853af127929a3c873024af5a764a2ccee86 Fix use after free of ctx->last_tag. (closes #3775) When using imap to access gmail, tagging and saving messages to "all mail" and pressing <sync-mailbox> can result in the call path: mx_check_mailbox() imap_check_mailbox() imap_cmd_finish() imap_expunge_mailbox() mx_update_tables() followed by: mx_sync_mailbox() The HEADER pointed to by ctx->last_tag will be removed and FREE'ed in mx_update_tables(), but will subsequently be accessed in mx_sync_mailbox(). This patch simply sets ctx->last_tag=NULL if it is freed inside mx_update_tables(). Thanks to Peter Lekensteyn for the bug report and ASAN report. diff --git a/mx.c b/mx.c --- a/mx.c +++ b/mx.c @@ -1053,16 +1053,23 @@ ctx->size -= (ctx->hdrs[i]->content->length + ctx->hdrs[i]->content->offset - ctx->hdrs[i]->content->hdr_offset); /* remove message from the hash tables */ if (ctx->subj_hash && ctx->hdrs[i]->env->real_subj) hash_delete (ctx->subj_hash, ctx->hdrs[i]->env->real_subj, ctx->hdrs[i], NULL); if (ctx->id_hash && ctx->hdrs[i]->env->message_id) hash_delete (ctx->id_hash, ctx->hdrs[i]->env->message_id, ctx->hdrs[i], NULL); + /* The path mx_check_mailbox() -> imap_check_mailbox() -> + * imap_expunge_mailbox() -> mx_update_tables() + * can occur before a call to mx_sync_mailbox(), resulting in + * last_tag being stale if it's not reset here. + */ + if (ctx->last_tag == ctx->hdrs[i]) + ctx->last_tag = NULL; mutt_free_header (&ctx->hdrs[i]); } } #undef this_body ctx->msgcount = j; }
signature.asc
Description: PGP signature
