#3797: mutt.core Signal 11 Segmentation Fault OpenBSD 5.4 -> Current
-------------------------+----------------------
Reporter: shepper | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: maildir/mh | Version: 1.5.24
Resolution: | Keywords:
-------------------------+----------------------
Comment (by kevin8t8):
Great, that helps a lot!
I'm going to spend some more time on this tonight to make sure, but I have
an idea what the problem is.
Inside mh_check_mailbox(), it creates a hash of the maildir/mh entries:
{{{
for (p = md; p; p = p->next)
hash_insert (fnames, p->h->path, p, 0);
}}}
The hash_insert does not create a copy of p->h->path. It simply directly
uses it as the key.
Later on:
{{{
for (i = 0; i < ctx->msgcount; i++)
{
[...]
if ((p = hash_find (fnames, ctx->hdrs[i]->path)) && p->h &&
(mbox_strict_cmp_headers (ctx->hdrs[i], p->h)))
{
[...]
mutt_free_header (&p->h);
}
}
}}}
The mutt_free_header() is freeing the p->h->path used in the hash table!
So the next time we enter the same hash bucket and compare the key to the
entry's key, we are comparing against freed memory!
This probably explains why it happens when you have more messages: more
likely to have hash collisions.
Again, I have to go out now, but I'll take a closer look and work on
fixing this later on today.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3797#comment:3>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
