Also, it is quite easy to break the stack with very deep recursion here
(same function, imap_body_decode()):
896: if (*inptr++ != '(')
return NULL;
if (ci == NULL) {
ci = camel_folder_summary_content_info_new (folder->summary);
g_ptr_array_add (cis, ci);
}
904: if (*inptr == '(') {
/* body_type_mpart */
CamelMessageContentInfo *tail, *children = NULL;
tail = (CamelMessageContentInfo *) &children;
do {
/*!!!*/ if (!(child = imap_body_decode (&inptr, NULL, folder, cis)))
return NULL;
child->parent = ci;
tail->next = child;
tail = child;
917: } while (*inptr == '(');
Just imagine inptr points to a string with some thousands of '('s.
I might be wrong or outdated in exact stack calculations, but supposing at
least 20 bytes of stack per call (ret ptr + 4 pointers in arguments, 4 bytes
per pointer) and 2Mb thread stack will result in maximum level of recursion
equal 104857 2*1024*1024/20 = 104857
Add here some memory alignment, other calls in this thread's stack,
variables... Stack is not that deep actually. I'd rather expect no more than
5-10 thousand calls.
And I hardly see any checks for this case or any attempt to roll out this
recursion into a loop.
I consider the code dangerous and significantly broken. :(
--
evolution crashed with SIGSEGV after opening email with attachment
https://bugs.launchpad.net/bugs/229669
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
