<<< Date Index >>>     <<< Thread Index >>>

bug#1659: marked as done (mutt-1.5.4i: Memory corruption)



Your message dated Mon, 6 Oct 2003 12:00:35 +0200
with message-id <20031006100035.GM23043@xxxxxxxxxxxxxxxxxxxxxxxxxx>
and subject line bug#1659: mutt-1.5.4i: Memory corruption
has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Herr der Kaefer
(administrator, GUUG bugs database)

--------------------------------------
Received: (at submit) by bugs.guug.de; 5 Oct 2003 21:07:33 +0000
>From sam@xxxxxxxxxxxxxxxxxxxxxx Sun Oct 05 23:07:31 2003
Received: from marvin.enst.fr
        ([137.194.161.2] helo=mail.rfc1149.net ident=postfix)
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1A6G6F-00026u-00
        for <submit@xxxxxxxxxxxx>; Sun, 05 Oct 2003 23:07:31 +0200
Received: from beeblebrox.rfc1149.net (beeblebrox-tun.enst.fr [137.194.161.40])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "beeblebrox.rfc1149.net", Issuer "Top-level signer" 
(verified OK))
        by mail.rfc1149.net (Postfix) with ESMTP
        id 43393A8139; Sun,  5 Oct 2003 23:09:52 +0200 (CEST)
Received: by beeblebrox.rfc1149.net (Postfix, from userid 1000)
        id ACFA7FA9; Sun,  5 Oct 2003 20:37:31 +0200 (CEST)
From: sam@xxxxxxxxxxx
Organization: Avian Carrier & Friends
Subject: mutt-1.5.4i: Memory corruption
To: submit@xxxxxxxxxxxx
Message-Id: <20031005183731.ACFA7FA9@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sun,  5 Oct 2003 20:37:31 +0200 (CEST)
X-Spam-Status: No, hits=-2.5 required=5.0
        tests=AWL,BAYES_20,NO_REAL_NAME
        version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Package: mutt
Version: 1.5.4i
Severity: important

-- Please type your report below this line

Mutt seems to have a memory corruption problem in address expansion.

I first noticed a warning given by the FreeBSD kernel in the following
situation:

I send a mail (m)
I type a few characters of the name (nrich)
I query my lbdb database (^t)
I choose one address (RETURN)

In some cases (repeatable, but does not trigger with every address),
FreeBSD issues:

  "mutt in free(): warning: chunk is already free"

The attached trace was generated with FreeBSD in "abort instead of warn"
mode ("ln -s A /etc/malloc.conf").

The memory corruption can best be viewed with the following sequence:
(you need to query a database, which one has probably no importance here
except that your query must return several results)

Send a mail (m)
Type a few characters (a)
Query your database (^t)
Select an address (arrows) then ask to send a mail (m)
Cancel the current inner mail (^uRETURN)

You are still in the query result screen, but the address you selected
may have been (visibly) corrupted. If not, try with the next one.

-- System Information
System Version: FreeBSD beeblebrox 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #0: 
Sun Sep 28 21:48:11 CEST 2003     root@willow:/usr/obj/usr/src/sys/BEEBLEBROX  
i386

-- Build environment information

(Note: This is the build environment installed on the system
muttbug is run on.  Information may or may not match the environment
used to build mutt.)

- gcc version information
gcc
Using builtin specs.
gcc version 2.95.4 20020320 [FreeBSD]

- CFLAGS
-Wall -pedantic -g -O2

-- Mutt Version Information

Mutt 1.5.4i (2003-03-19)
Copyright (C) 1996-2002 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: FreeBSD 4.9-PRERELEASE (i386) [using ncurses 5.1]
Compile options:
-DOMAIN
-DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  
+USE_FCNTL  -USE_FLOCK
-USE_POP  -USE_IMAP  -USE_GSS  -USE_SSL  -USE_SASL  -USE_SASL2  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  -CRYPT_BACKEND_GPGME  
-BUFFY_SIZE -EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  -HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  
+HAVE_LANGINFO_YESEXPR  
-HAVE_ICONV  -ICONV_NONTRANS  -HAVE_LIBIDN  +HAVE_GETSID  -HAVE_GETADDRINFO  
ISPELL="/usr/local/bin/ispell"
SENDMAIL="/usr/local/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/local/share/mutt"
SYSCONFDIR="/usr/local/etc"
EXECSHELL="/bin/sh"
-MIXMASTER
To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
To report a bug, please use the flea(1) utility.

patch-1.5.4.st.cleantarget.1
patch-1.5.4.st.nowarnings.1

-- Core Dump Analysis Output

(see above: corresponds to "chunk is already free" message from FreeBSD kernel)

GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `mutt'.
Program terminated with signal 6, Abort trap.
Reading symbols from /usr/lib/libncurses.so.5...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x2814aea0 in kill () from /usr/lib/libc.so.4
#0  0x2814aea0 in kill () from /usr/lib/libc.so.4
#1  0x2818c432 in abort () from /usr/lib/libc.so.4
#2  0x2818af1d in isatty () from /usr/lib/libc.so.4
#3  0x2818af53 in isatty () from /usr/lib/libc.so.4
#4  0x2818be4a in isatty () from /usr/lib/libc.so.4
#5  0x2818c0b1 in free () from /usr/lib/libc.so.4
#6  0x8094a51 in safe_free (p=0x80d9234) at lib.c:117
#7  0x80863fa in rfc822_free_address (p=0x80d9220) at rfc822.c:93
#8  0x8082a02 in query_menu (
    buf=0xbfbfbe10 "Nadine RICHARD <nrichard@xxxxxx>", buflen=5120, 
    results=0x80d9220, retbuf=1) at query.c:500
#9  0x8082146 in mutt_query_complete (
    buf=0xbfbfbe10 "Nadine RICHARD <nrichard@xxxxxx>", buflen=5120)
    at query.c:249
#10 0x8061157 in _mutt_enter_string (
    buf=0xbfbfbe10 "Nadine RICHARD <nrichard@xxxxxx>", buflen=5120, y=23, x=4, 
    flags=1, multiple=0, files=0x0, numfiles=0x0, state=0x80dc0e0)
    at enter.c:564
#11 0x80599e4 in _mutt_get_field (field=0x80b0f80 "To: ", 
    buf=0xbfbfbe10 "Nadine RICHARD <nrichard@xxxxxx>", buflen=5120, 
    complete=1, multiple=0, files=0x0, numfiles=0x0) at curs_lib.c:113
#12 0x808a7ad in edit_address (a=0x80dd408, field=0x80b0f80 "To: ")
    at send.c:195
#13 0x808a87e in edit_envelope (en=0x80dd400) at send.c:216
#14 0x808c1f9 in ci_send_message (flags=0, msg=0x80dd380, tempfile=0x0, 
    ctx=0x80dd100, cur=0x0) at send.c:1177
#15 0x805e51f in mutt_index_menu () at curs_main.c:1915
#16 0x806ed09 in main (argc=1, argv=0xbfbffa24) at main.c:907
472     
473     #define M_IGNORE  (1<<0)        /* -z */
474     #define M_BUFFY   (1<<1)        /* -Z */
475     #define M_NOSYSRC (1<<2)        /* -n */
476     #define M_RO      (1<<3)        /* -R */
477     #define M_SELECT  (1<<4)        /* -y */
478     
479     int main (int argc, char **argv)
480     {
481       char folder[_POSIX_PATH_MAX] = "";


---------------------------------------
Received: (at 1659-done) by bugs.guug.de; 6 Oct 2003 09:58:15 +0000
>From roessler+bounce@xxxxxxxxxxxxxxxxxx Mon Oct 06 11:58:13 2003
Received: from does-not-exist.info ([217.160.221.198] 
helo=kamino.does-not-exist.org)
        by trithemius.gnupg.org with esmtp (Exim 3.35 #1 (Debian))
        id 1A6S85-0000Yd-00
        for <1659-done@xxxxxxxxxxxx>; Mon, 06 Oct 2003 11:58:13 +0200
Received: from voyager.does-not-exist.org (p3E9B9DFB.dip0.t-ipconnect.de 
[62.155.157.251])
        (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
        (No client certificate requested)
        by kamino.does-not-exist.org (Postfix) with ESMTP
        id DBE4231416D; Mon,  6 Oct 2003 12:00:38 +0200 (CEST)
Received: by voyager.does-not-exist.org (Postfix, from userid 500)
        id 31AB380F0; Mon,  6 Oct 2003 12:00:36 +0200 (CEST)
Date: Mon, 6 Oct 2003 12:00:35 +0200
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: Samuel Tardieu <sam@xxxxxxxxxxx>
Cc: 1659-done@xxxxxxxxxxxx
Subject: Re: bug#1659: mutt-1.5.4i: Memory corruption
Message-ID: <20031006100035.GM23043@xxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <20031005183731.ACFA7FA9@xxxxxxxxxxxxxxxxxxxxxx> 
<20031006095236.GJ23043@xxxxxxxxxxxxxxxxxxxxxxxxxx> 
<2003-10-06-11-59-43+trackit+sam@xxxxxxxxxxx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2003-10-06-11-59-43+trackit+sam@xxxxxxxxxxx>
User-Agent: Mutt/1.5.4i
X-Spam-Status: No, hits=-106.8 required=5.0
        tests=AWL,BAYES_20,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
              REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,
              USER_IN_WHITELIST
        autolearn=ham version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)


committing.  thanks

On 2003-10-06 11:59:43 +0200, Samuel Tardieu wrote:
> From: Samuel Tardieu <sam@xxxxxxxxxxx>
> To: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> Cc: 1659@xxxxxxxxxxxx
> Date: Mon, 6 Oct 2003 11:59:43 +0200
> Subject: Re: bug#1659: mutt-1.5.4i: Memory corruption
> Organization: RFC 1149 (see http://www.rfc1149.net/)
> X-Spam-Level: 
> 
> On  6/10, Thomas Roessler wrote:
> 
> | Unfortunately, I don't "see" the corruption here -- but I have a
> | strong suspicion where it comes from.  Could you please try whether
> | the attached patch fixes the problem?
> 
> It does indeed. Thanks.
> 
>   Sam
> 

-- 
Thomas Roessler                       <roessler@xxxxxxxxxxxxxxxxxx>