#3775: Heap-use-after-free when trying save mailbox changes after moving file
-------------------------+---------------------
Reporter: Lekensteyn | Owner: brendan
Type: defect | Status: new
Priority: major | Milestone:
Component: IMAP | Version:
Resolution: | Keywords: crash
-------------------------+---------------------
Comment (by kevin8t8):
Oh, sorry about that Peter. I must have misunderstood the path triggering
it. (I'm still not super-familiar with the IMAP code).
Somehow IMAP_EXPUNGE_PENDING is getting set between the save and the sync,
which was causing imap_expunge_mailbox() -> mx_update_tables() before the
sync. I thought gmail was sending a FETCH back and our poll was catching
it in imap_check_mailbox(). Perhaps the timing issue also depends on the
server.
In any case the ASAN report you gave was very helpful, and made it clear
that ctx->last_tag was the problem. Despite not completely understanding
how/when the EXPUNGE is getting set, I feel pretty confident the patch
will fix that read-after-free issue, so I'm just going to push it.
Thank you for trying to test it, and if you can trigger it again (with the
patch), feel free to re-open.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3775#comment:6>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
