#3775: Heap-use-after-free when trying save mailbox changes after moving file
-------------------------+---------------------
Reporter: Lekensteyn | Owner: brendan
Type: defect | Status: closed
Priority: major | Milestone:
Component: IMAP | Version:
Resolution: fixed | Keywords: crash
-------------------------+---------------------
Changes (by Kevin McCarthy <kevin@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [40c47fcc9d17609e02f8a0754c4a21b8b38e2749]:
{{{
#!CommitTicketReference repository=""
revision="40c47fcc9d17609e02f8a0754c4a21b8b38e2749"
Fix use after free of ctx->last_tag. (closes #3775)
When using imap to access gmail, tagging and saving messages to "all
mail" and pressing <sync-mailbox> can result in the call path:
mx_check_mailbox()
imap_check_mailbox()
imap_cmd_finish()
imap_expunge_mailbox()
mx_update_tables()
followed by:
mx_sync_mailbox()
The HEADER pointed to by ctx->last_tag will be removed and FREE'ed in
mx_update_tables(), but will subsequently be accessed in
mx_sync_mailbox().
This patch simply sets ctx->last_tag=NULL if it is freed inside
mx_update_tables().
Thanks to Peter Lekensteyn for the bug report and ASAN report.
}}}
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3775#comment:7>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
