<<< Date Index >>>     <<< Thread Index >>>

Re: mutt_free_header -> free -> mutt_sort_headers -> segfault



Thanks for that report, and apologies for not replying earlier.
Unfortunately, I don't seem to be able to reproduce the crash with
my own inbox, on a redhat-9 system.  It would be helpful if you
could provide me with a "reproduction package", consisting of:

* a mailbox,
* a message that can be added to that mailbox to trigger the problem,
* the configuration file used. (Should be as close as possible to
  the default configuration.)

Thanks,
-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.





On 2003-10-31 00:00:20 -0000, q4xk3j002@xxxxxxxxxxxxxx wrote:
> From: q4xk3j002@xxxxxxxxxxxxxx
> To: mutt-dev@xxxxxxxx
> Date: 31 Oct 2003 00:00:20 -0000
> Subject: mutt_free_header -> free -> mutt_sort_headers -> segfault
> X-Spam-Level: 
> 
> current[*] mutt 1.5.4 cvs is using already freed memory
> 
> NOTE: Cc possible replies/extra questions to me.
> 
> [*]
> $ head -n 1 ChangeLog
> 2003-10-08 19:55:39  Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>  
> (roessler)
> 
> I have gcc-3.3.2, valgrind-20030725, libefence-2.2,
> RH Linux IA-32, glibc-2.3.2-4.80.
> 
> ./configure --with-homespool=Maildir --with-ncurses --with-mixmaster 
> --enable-pop --enable-imap --with-ssl
> 
> 
> 
> you can try to reproduce this way:
> send one mail to user (whose Maildir-inbox is opened in mutt)
> delete the mail
> sync-mailbox
> (maybe press TAB)
> send another mail to the user
> press TAB and get segfault
> 
> (I used the same subject in this test)
> 
> 
> 
> here what valgrind has to say about the test.
> 
> ==3497== ERROR SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> ==3497== 
> ==3497== 1 errors in context 1 of 5:
> ==3497== Conditional jump or move depends on uninitialised value(s)
> ==3497==    at 0x80DC5E6: _nc_do_color (in /usr/local/src/mutt/mutt)
> ==3497==    by 0x80E1837: vidputs (in /usr/local/src/mutt/mutt)
> ==3497==    by 0x80E2038: vidattr (in /usr/local/src/mutt/mutt)
> ==3497==    by 0x80E6FC0: _nc_screen_wrap (in /usr/local/src/mutt/mutt)
> ==3497== 
> ==3497== 1 errors in context 2 of 5:
> ==3497== Conditional jump or move depends on uninitialised value(s)
> ==3497==    at 0x40009565: _dl_relocate_object_internal (in /lib/ld-2.3.2.so)
> ==3497==    by 0x40545D90: (within /lib/libc-2.3.2.so)
> ==3497==    by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> ==3497==    by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> ==3497== 
> ==3497== 1 errors in context 3 of 5:
> ==3497== Conditional jump or move depends on uninitialised value(s)
> ==3497==    at 0x40009517: _dl_relocate_object_internal (in /lib/ld-2.3.2.so)
> ==3497==    by 0x40545D90: (within /lib/libc-2.3.2.so)
> ==3497==    by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> ==3497==    by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> ==3497== 
> ==3497== 2 errors in context 4 of 5:
> ==3497== Invalid read of size 1
> ==3497==    at 0x40020363: strcmp (in 
> /usr/local/lib/valgrind/vgskin_memcheck.so)
> ==3497==    by 0x8078764: hash_find_hash (hash.c:104)
> ==3497==    by 0x80B3E7A: mutt_sort_threads (thread.c:778)
> ==3497==    by 0x80B12B1: mutt_sort_headers (sort.c:234)
> ==3497==    Address 0x421ADBCC is 0 bytes inside a block of size 62 free'd
> ==3497==    at 0x40029381: free (in 
> /usr/local/lib/valgrind/vgskin_memcheck.so)
> ==3497==    by 0x80B8661: mutt_free_envelope (muttlib.c:649)
> ==3497==    by 0x80B77E5: mutt_free_header (muttlib.c:270)
> ==3497==    by 0x808BB02: mx_update_tables (mx.c:1097)
> ==3497== 
> ==3497== 15 errors in context 5 of 5:
> ==3497== Source and destination overlap in strncpy(0x421b9cfc, 0x421b9ca0, 
> 168)
> ==3497==    at 0x400202B5: strncpy (in 
> /usr/local/lib/valgrind/vgskin_memcheck.so)
> ==3497== IN SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> ==3497== 
> ==3497== malloc/free: in use at exit: 746762 bytes in 15878 blocks.
> ==3497== malloc/free: 29065 allocs, 13187 frees, 1589232 bytes allocated.
> 
> 
> 
> and gdb+efence
> 
> ---Mutt: ~/Maildir 
> [Msgs:0]---(threads/date)----------------------------(all)---
> Sorting mailbox...                                                            
>                  
> Program received signal SIGSEGV, Segmentation fault.
> 0x4027c5da in strcmp () from /lib/libc.so.6
> (gdb) bt
> #0  0x4027c5da in strcmp () from /lib/libc.so.6
> #1  0x080b6d3a in mutt_strcmp (a=0x4f24cff8 "\002", b=0x0) at lib.c:574
> #2  0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0, 
>     key=0x4f5a1fc0 
> "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
>     at hash.c:104
> #3  0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> #4  0x080b12b2 in mutt_sort_headers (ctx=0x4e07bf9c, init=0) at sort.c:234
> #5  0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1, 
> oldcount=0, 
>     index_hint=0) at curs_main.c:313
> #6  0x08063803 in mutt_index_menu () at curs_main.c:488
> #7  0x08080291 in main (argc=1, argv=0xbfffea64) at main.c:907
> #8  0x40217907 in __libc_start_main () from /lib/libc.so.6
> (gdb) disass $eip-8 $eip+8 
> Dump of assembler code from 0x4027c5d2 to 0x4027c5e2:
> 0x4027c5d2 <strcmp+2>:  and    $0x4,%al
> 0x4027c5d4 <strcmp+4>:  mov    0x8(%esp,1),%edx
> 0x4027c5d8 <strcmp+8>:  mov    (%ecx),%al
> 0x4027c5da <strcmp+10>: cmp    (%edx),%al
> 0x4027c5dc <strcmp+12>: jne    0x4027c5e7 <strcmp+23>
> 0x4027c5de <strcmp+14>: inc    %ecx
> 0x4027c5df <strcmp+15>: inc    %edx
> 0x4027c5e0 <strcmp+16>: test   %al,%al
> End of assembler dump.
> (gdb) print $eip
> $5 = (void *) 0x4027c5da
> (gdb) print $edx
> $6 = 1327738816
> (gdb) frame 2
> #2  0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0, 
>     key=0x4f5a1fc0 
> "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
>     at hash.c:104
> 104         if (mutt_strcmp (key, ptr->key) == 0)
> (gdb) print *table
> $10 = {nelem = 2, table = 0x4f24eff8}
> (gdb) up
> #3  0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> 778             thread = hash_find (ctx->thread_hash, cur->env->message_id);
> (gdb) print *ctx
> $11 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime = 
> 1067556677, 
>   mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, limit_pattern 
> = 0x0, 
>   hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8, 
>   thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1, 
> vcount = 1, 
>   tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet = 
> -1, data = 0x0, 
>   magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 
> 0, quiet = 0, 
>   collapsed = 0, closing = 0}
> (gdb) print *cur     
> $13 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0, changed 
> = 0, 
>   attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied = 
> 0, 
>   subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0, 
> active = 0, 
>   trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched = 
> 0, 
>   collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0, 
>   date_sent = 1067556675, received = 1067556675, offset = 0, lines = 0, index 
> = 0, msgno = 0, 
>   virtual = 0, score = 0, env = 0x4f591fbc, content = 0x4f595fbc, 
>   path = 0x4f582fd8 "new/1067556677.3579.safari.finland.fbi", tree = 0x0, 
> thread = 0x0, 
>   chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
> (gdb) frame 5
> #5  0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1, 
> oldcount=0, 
>     index_hint=0) at curs_main.c:313
> 313       mutt_sort_headers (Context, (check == M_REOPENED));
> (gdb)print *Context
> $15 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime = 
> 1067556677, 
>   mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, limit_pattern 
> = 0x0, 
>   hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8, 
>   thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1, 
> vcount = 1, 
>   tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet = 
> -1, data = 0x0, 
>   magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 
> 0, quiet = 0, 
>   collapsed = 0, closing = 0}
>